Encryption with AWS (PART 2) — client-side

Photo by Goran Ivos on Unsplash

This post is the second and final of the series where we talk about Encryption.

We went over some encryption theory in the first post and introduced how Encryption works in AWS (server-side Encryption). In this post, we will go over client-side Encryption, which is the technique of encrypting data on the sender’s side before it’s sent to the server. That’s mainly your application. This kind of Encryption offers a high level of privacy as it eliminates the potential for data to be viewed by third parties your app is integrating with. For example, assume you are building a healthcare application that gathers patients data, and you would want to store that data in a database. Client-side Encryption transforms that data into cyphertext before having it sent, which helps protect it if it’s lost or unintentionally exposed, as that data would be unreadable to anyone without access to the key.

In the following section, we will build together in-browser encryption, where we ensure the data won’t leave the browser before it’s encrypted, which makes it visible as plain-text only to the end-user.

Building the app

Our app will gather data such as name and age, then submits it through a POST request to our backend. However, we will log the data to the browser console for this exercise instead of submitting a POST request. This would enable us to view the data before and after the Encryption.

We will use parceljs to bundle our front-end with minimal effort.

Front-end without Encryption

The following steps help setup the front-end:

• Globally install the parcel-bundler. Run npm i -g parcel-bundler in your terminal
• Initialise your project as an npm repository: npm init
• Install the AWS Encryption SDK for JavaScript: npm install @aws-crypto/client-browser
• Create a src/index.html and src/index.js files that would form our web app
• Run parcel index.html command in your terminal to start the app. Open http://localhost:1234 in your browser

Now we will implement the functionality:

• Build the HTML index file:

<html>
<body>
  <h1>Patient data</h1>
  <br />
  <form action="" method="post" id="user-form">
    <label>Name: </label>
    <input type="text" id="name" name="name" /><br /><br />
    <label>Age: </label>
    <input type="text" id="age" name="age" /><br /><br />
    <input type="submit" value="Submit" />
  </form>
<script src="./index.js"></script>
</body>
</html>

• Build the js that reads the data from the HTML form:

const name = document.getElementById('name');
const age = document.getElementById('age');
const userForm = document.getElementById('user-form');
userForm.addEventListener('submit', (e) => {
  e.preventDefault();
  console.log(name.value, age.value);
});

Up to this point, the data will be displayed in plain text.

Front-end with Encryption

In this section, we will use AWS KMS keyring to encrypt data using the AWS Encryption SDK for JS in the browser. Keyrings are used to perform envelope encryption ( Have a look at the first part of this post), where they generate, encrypt and decrypt data keys that will be used to encrypt the data in the browser.

First, we need to construct the keyring (requires a generator key and client provider), then use it to encrypt the plain text:

• Setup a client-provider — mainly your AWS credentials — DO NOT HARDCODE THE CREDENTIALS(this is only for demo purposes)
• Create the keyring
• Encrypt the data using the created keyring

The complete code would look as follows:

Have a look at your console and see how the name gets encrypted after submission.

By doing browser encryption, we ensure that sensitive data is protected before being passed to a third party such as the internet provider or even a library that our code uses.

I hope this was helpful and keen to hear your feedback.