Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including bragg-kms-decrypt with all npm packages installed. Try it out:

var braggKmsDecrypt = require("bragg-kms-decrypt")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

bragg-kms-decrypt v1.0.0

Bragg middleware to decrypt properties from the response object

bragg-kms-decrypt Build Status

Bragg middleware to decrypt properties from the response object

The aws-sdk is not a dependency and has to be installed separately. The reason for this is that the SDK is automatically available in AWS Lambda functions. This way, we reduce the size of the deployment package drastically.


$ npm install --save bragg-kms-decrypt


const app = require('bragg')();
const router = require('bragg-router')();
const decrypt = require('bragg-kms-decrypt');
const safeGuard = require('bragg-safe-guard');

const findUser = ctx => {
    ctx.body = {
        firstName: 'Foo',
        name: 'Bar',
        email: 'c560c4ee28bc35e21416e',
        __cipher: 'AQEDAHjWAoeHvrOIoPB+D9i61iyhfgDwsm1dEoL7qURAK8w=='

router.get('/user', findUser, decrypt(['email'], {encryptionContext: ['firstName', 'name']}));


// Prevent `__cipher` to be leaking outside the function

app.use(ctx => {
    //=> {firstName: 'Foo', name: 'Bar', email: ''}

exports.handler = app.listen();


decrypt(props, options)


Type: string[]

Properties of the body that should be decrypted.



Type: Array<string | object> object function

The properties or the object that should be used as encryption context. The encryption context is used to generate the cipher key and the same context should be used to decrypt it again.

Here are some examples for parsing the encryption context. Let's assume generate generates the encryption context for the provided input.

const input = {
    firstName: 'Foo',
    name: 'Bar'

generate(input, ['firstName', 'name']);
//=> {firstName: 'Foo', name: 'Bar'}

generate(input, ['firstName', 'name', {foo: 'bar'}]);
//=> {firstName: 'Foo', name: 'Bar', foo: 'bar'}

generate(input, {foo: 'bar'});
//=> {foo: 'bar}
EncryptionContext as a function

It's also possible to provide a function as encryptionContext. This function will be called with the Bragg context object and should return an array with strings and/or objects, or an object. You should use this when the encryption context depends on request parameters.

const calculate = ctx => {
    return [

router.get('/user', findUser, decrypt(['email'], {encryptionContext: calculate}));

Type: number
Default: 0

Milliseconds to cache the decrypted cipher key.


Type: string
Default: __cipher

Name of the property that holds the encrypted cipher key.


Type: string
Default: base64

Encoding type of the encrypted cipher key.


The middleware decrypts the data with jovi which uses AES-256-CTR to encrypt and decrypt data. The library generates an IV and a hash for the provided data and key. The key is the decrypted KMS cipher key of which the encrypted version should be stored per record.

The data is expected to be stored as a concatenation of the hex value of the IV and the hash. For instance, let's assume

const jovi = require('jovi');

// Decrypted with KMS
const key = '5a8b3aa11b6047c967ba7c66fd02b2f851c95da80e0218f0aa6088db50565753';

// Encrypt `unicorn` with the key
const ret = jovi.encrypt('unicorn', key);

const value = ret.iv.toString('hex') + ret.hash.toString('hex');
// => 6ca5fc8c1b0c9f2b4e549bbfb55dc63ca850c2919f862c

The value should be stored as the value of the property in the database together with the encrypted key. The middleware will extract the IV and the hash for you.


  • bragg - AWS λ web framework.
  • bragg-safe-guard - Prevents leaking information outside the bragg context.
  • jovi - Encrypt and decrypt data with AES-256-CTR.


MIT © Sam Verschueren


RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free