@eqxjs/azure-manage-identity
Version:
For get Azure keyvault secret
36 lines • 1.85 kB
JavaScript
;
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.encryptData = encryptData;
const keyvault_keys_1 = require("@azure/keyvault-keys");
const confidential_mgnt_1 = require("../confidential.mgnt");
const secret_get_1 = require("../secret/secret.get");
const base64url_1 = __importDefault(require("base64url"));
const node_buffer_1 = require("node:buffer");
/**
* Encrypts a plaintext payload using an Azure Key Vault key (A256CBC) and returns
* the result as a base64url-encoded string.
* The initialization vector is read from a Key Vault secret.
*
* @param keyURL - The URL of the Azure Key Vault instance
* @param keyName - The name of the key to use for encryption
* @param payload - The plaintext string to encrypt
* @param ivSecretName - The name of the secret containing the initialization vector
* @returns A promise resolving to the base64url-encoded ciphertext
*/
async function encryptData(keyURL, keyName, payload, ivSecretName) {
const credential = new confidential_mgnt_1.MyClientAssertionCredential();
const keysClient = new keyvault_keys_1.KeyClient(keyURL, credential);
const vaultKey = await keysClient.getKey(keyName);
const secret = await (0, secret_get_1.getSecret)(keyURL, ivSecretName);
const cryptographyClient = new keyvault_keys_1.CryptographyClient(vaultKey, credential);
const result = await cryptographyClient.encrypt({
algorithm: 'A256CBC',
plaintext: node_buffer_1.Buffer.from(payload),
iv: secret.value ? node_buffer_1.Buffer.from(secret.value) : undefined,
});
return base64url_1.default.encode(node_buffer_1.Buffer.from(result.result));
}
//# sourceMappingURL=key.encrypt.js.map