aws-esdk

aws-esdk is a library for implementing client side encryption.


Keywords
client-side, cryptography, dynamodb, encryption, security
Licenses
ISC/CERN-OHL-P-2.0/ISC

Documentation

AWS Encryption SDK for Dafny

Build Status - master branch

The AWS Encryption SDK enables secure client-side encryption. It uses cryptography best practices to protect your data and protect the encryption keys that protect your data. Each data object is protected with a unique data encryption key, and the data encryption key is protected with a key encryption key called a wrapping key. The encryption method returns a single, portable encrypted message that contains the encrypted data and the encrypted data key, so you don't need to keep track of the data encryption keys for your data. You can use KMS keys in AWS Key Management Service (AWS KMS) as wrapping keys. The AWS Encryption SDK also provides APIs to define and use encryption keys from other key providers.

For more details about the design and architecture of the AWS Encryption SDK, see the AWS Encryption SDK Developer Guide.

📣 Note: This repository contains the source code and related files for the supported language implementations of the AWS Encryption SDK.

Security issue notifications

Building the AWS Encryption SDK for Dafny

To build, the AWS Encryption SDK requires the most up to date version of dafny on your PATH. In addition, this project uses the parallel verification tasks provided by the dafny.msbuild MSBuild plugin, and thus requires dotnet 3.0.

To run the dafny verifier across all files:

# Currently, test depends on src, so verifying test will also verify src
dotnet build -t:VerifyDafny test

The tests currently require native implementations of cryptographic primitives and other methods, so they can only be run when embedding this library into one of the compilation target languages supported by Dafny:

Generating Code from Smithy Model

To generate code from the Smithy models for either the AWS Encryption SDK or for any of its dependencies, you will need the Polymorph project set up locally.

To run the code generator, open any of the modules (e.g. AwsCryptographyPrimitives), then run:

 make polymorph_code_gen CODEGEN_CLI_ROOT=/[path]/[to]/smithy-dafny/codegen/smithy-dafny-codegen-cli

Transpiling Generated Code to a Runtime

The AWS Encryption SDK for Dafny must be transpiled to a runtime to be used. There is no Dafny runtime, so there is no concept of "running the AWS Encryption SDK for Dafny".

To transpile the generated code to a runtime, open the module AwsEncryptionSDK, then run:

For .NET

make transpile_net

For Rust

make transpile_rust

Generate Duvet Reports

This repo uses Duvet to directly document the specification alongside this implementation. Refer to the specification for how to install duvet in order to generate reports.

To generate a report for this AWS Encryption SDK for Dafny, run the following command:

make duvet

It will output if there is any missing coverage.

By default this will extract the spec to the compliance directory. If you only want to generate the report you can do so with the following:

make duvet_report
open specification_compliance_report.html

To view the report, look at the generated specification_compliance_report.html:

To install Duvet

cargo +stable install duvet

Supported Languages

  • .NET
  • Dafny
  • Rust

License

This library is licensed under the Apache 2.0 License.