机密与密钥管理（KMS与Vault）实施指南与运维最佳实践

机密与密钥管理（KMS与Vault）实施指南与运维最佳实践概述通过集中式KMS与Vault实现密钥最小暴露、自动轮转与按需发放，降低泄露与长期凭证风险。信封加密import { randomBytes, createCipheriv, createDecipheriv } from 'crypto'

type CipherText = { iv: string; tag: string; data: string }

function encryptWithDataKey(plain: Buffer, dataKey: Buffer): CipherText {

const iv = randomBytes(12)

const cipher = createCipheriv('aes-256-gcm', dataKey, iv)

const enc = Buffer.concat([cipher.update(plain), cipher.final()])

const tag = cipher.getAuthTag()

return { iv: iv.toString('base64url'), tag: tag.toString('base64url'), data: enc.toString('base64url') }

}

function decryptWithDataKey(ct: CipherText, dataKey: Buffer): Buffer {

const iv = Buffer.from(ct.iv, 'base64url')

const tag = Buffer.from(ct.tag, 'base64url')

const data = Buffer.from(ct.data, 'base64url')

const decipher = createDecipheriv('aes-256-gcm', dataKey, iv)

decipher.setAuthTag(tag)

return Buffer.concat([decipher.update(data), decipher.final()])

}

动态凭证与TTLclass SecretLease {

value: string

expiresAt: number

constructor(value: string, ttlMs: number) { this.value = value; this.expiresAt = Date.now() + ttlMs }

valid(): boolean { return Date.now() < this.expiresAt }

}

class SecretCache {

store = new Map<string, SecretLease>()

async get(key: string, fetcher: () => Promise<{ value: string; ttlMs: number }>): Promise<string> {

const cur = this.store.get(key)

if (cur && cur.valid()) return cur.value

const next = await fetcher()

const lease = new SecretLease(next.value, next.ttlMs)

this.store.set(key, lease)

return lease.value

}

}

轮转与审计将主密钥托管在KMS/HSM，应用侧仅使用短期数据密钥通过Vault动态发放数据库与云凭证，设置最短TTL与自动撤销记录获取、解密与轮转操作的审计事件并最小化可见范围以上方案在常见Web与微服务环境中可实现低暴露与可审计的机密管理体系。