Encrypt plain text and 'decrypt' cipher text using encryption keys hosted at Amazon Web Services ('AWS') Key Management Service ('KMS'), on which see < https://aws.amazon.com/kms> for more information.
This an R client to interact with the AWS Key Management Service, including wrapper functions around the KMS Java client to encrypt plain text and decrypt cipher using Customer Master Keys stored in KMS.
The package is hosted on CRAN, so installation is as easy as:
But you can similarly easily install the most recent development version of the R package as well:
This R package relies on the
jar files bundled with the AWR package.
Currently, only three basic, but very important features are supported:
> kms_encrypt('alias/mykey', 'foobar') "Base-64 encoded ciphertext"
> kms_encrypt('Base-64 encoded ciphertext') "foobar"
> kms_generate_data_key('alias/mykey')$cipher "Base-64 encoded, encrypted data encryption key"$key "alias/mykey"$text "Base-64 encoded data encryption key"
Use envelope encryption. In short, you can:
kms_generate_data_key) and store it only in memory for the next 2 steps
sodiumpackage or the
AESfunction from the
A simple implementation:
## let's say we want to encrypt the mtcars dataset stored in JSONlibrary(jsonlite)data <- toJSON(mtcars)## generate a 256-bit data encryption key (that's supported by digest::AES)library(AWR.KMS)key <- kms_generate_data_key('alias/mykey', byte = 32L)## convert the JSON to raw so that we can use that with digest::AESraw <- charToRaw(data)## the text length must be a multiple of 16 bytes##raw <- c(raw, as.raw(rep(0, 16 - length(raw) %% 16)))## encrypt the raw object with the new key + digest::AES## the resulting text and the encrypted key can be stored on disklibrary(digest)aes <- AES(key$text)base64_enc(aes$encrypt(raw))## decrypt the above returned ciphertext using the decrypted keyrawToChar(aes$decrypt(base64_dec(...), raw = TRUE))
Writing wrapper functions around the Java SDK is very easy. Please open a ticket on the feature request, or even better, submit a pull request :)
To be able to use this package, you need to have an AWS account and a KMS Encryption Key. If you do not have one already, you can register for free at Amazon and do 20K free requests per month, although keys do cost 1 USD per month.
Once you have an AWS account, make sure your default AWS Credentials are available via the DefaultAWSCredentialsProviderChain . In short, you either provide a default credential profiles file at
~/.aws/credentials, use the
AWS_SECRET_ACCESS_KEY environment variables or if using
AWR.KMS on AWS, you can also rely on the EC2 instance profile credentials or ECS Task Role as well.