mongoose-vault
==================
Simple encryption plugin for Mongoose, using the transit backend from Hasicorp's Vault (Encryption as a Service) (API).
Heavily inspired by mongoose-encryption plugin
Before You Get Started
Read the Security Notes below.
Encryption is only supported on fields of type String. Please file a FeatureRequest if you wish support for more Types.
Key Name
The scope of the encryption key can be per_collection
, per_document
or completely static. Vault will create a new key, if the specified name does not exist.
Searches on encrypted fields
In Order to enable searches on encrypted fields, we can enable vaults convergent_encryption
on the used keys. This will only work on the subset that is encrypted same key. e.g. keyName: per_collection
will work keyName: per_document
will not
Installation
npm install mongoose-vault
Basic
By default, all fields are encrypted except for _id
, __v
, and fields with indexes
var mongoose = ;var encrypt = ;var nodeVault = ; var userSchema = name: String age: Number // whatever else; userSchema; User = mongoose; // Initialize the vaultlet vault = // connect vault to the modelUser // Create transit backend in vaultvault User...
Development and Testing
Setup Hashicorp Vault and Mongo
docker run --rm --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=insecureRootTestingToken' -p8200:8200 vaultdocker run --rm -27017:27017 mongo
Security Issue Reporting / Disclaimer
None of the authors are security experts. We relied on accepted tools and practices, and tried hard to make this tool solid and well-tested, but nobody's perfect. Please look over the code carefully before using it (and note the legal disclaimer below). If you find or suspect any security-related issues, please email us and we will get right on it. For non-security-related issues, please open a Github issue or pull request. Copyright @ mongoose-encryption