fix: improved root kms encryption methods

backend/src/services/kms/kms-service.ts

@@ -208,20 +208,20 @@ export const kmsServiceFactory = ({
     return org.kmsDefaultKeyId;
   };
 
-  const encryptWithRootKey = async () => {
+  const encryptWithRootKey = () => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    return ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, ROOT_ENCRYPTION_KEY);
 
-      return Promise.resolve({ cipherTextBlob: encryptedPlainTextBlob });
+    return (plainTextBuffer: Buffer) => {
+      const encryptedBuffer = cipher.encrypt(plainTextBuffer, ROOT_ENCRYPTION_KEY);
+      return encryptedBuffer;
     };
   };
 
-  const decryptWithRootKey = async () => {
+  const decryptWithRootKey = () => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    return ({ cipherTextBlob }: { cipherTextBlob: Buffer }) => {
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, ROOT_ENCRYPTION_KEY);
-      return Promise.resolve(decryptedBlob);
+
+    return (cipherTextBuffer: Buffer) => {
+      return cipher.decrypt(cipherTextBuffer, ROOT_ENCRYPTION_KEY);
     };
   };
 

backend/src/services/secret-sharing/secret-sharing-service.ts

@@ -65,11 +65,9 @@ export const secretSharingServiceFactory = ({
       throw new BadRequestError({ message: "Shared secret value too long" });
     }
 
-    const encryptWithRoot = await kmsService.encryptWithRootKey();
+    const encryptWithRoot = kmsService.encryptWithRootKey();
 
-    const encryptedSecret = await encryptWithRoot({
-      plainText: Buffer.from(secretValue)
-    });
+    const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));
     const hashedHex = crypto.createHash("sha256").update(secretValue).digest("hex").substring(0, 13);
     const hashedPassword = password ? await bcrypt.hash(password, 10) : null;
 
@@ -77,10 +75,8 @@ export const secretSharingServiceFactory = ({
       iv: null,
       tag: null,
       encryptedValue: null,
-
-      encryptedSecret: encryptedSecret.cipherTextBlob,
+      encryptedSecret,
       hashedHex,
-
       name,
       password: hashedPassword,
       expiresAt: new Date(expiresAt),
@@ -117,10 +113,8 @@ export const secretSharingServiceFactory = ({
       throw new BadRequestError({ message: "Shared secret value too long" });
     }
 
-    const encryptWithRoot = await kmsService.encryptWithRootKey();
-    const encrypted = await encryptWithRoot({
-      plainText: Buffer.from(secretValue)
-    });
+    const encryptWithRoot = kmsService.encryptWithRootKey();
+    const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));
 
     const hashedHex = crypto.createHash("sha256").update(secretValue).digest("hex").substring(0, 13);
     const hashedPassword = password ? await bcrypt.hash(password, 10) : null;
@@ -130,7 +124,7 @@ export const secretSharingServiceFactory = ({
       iv: null,
       tag: null,
       hashedHex,
-      encryptedSecret: encrypted.cipherTextBlob,
+      encryptedSecret,
 
       password: hashedPassword,
       expiresAt: new Date(expiresAt),
@@ -242,11 +236,8 @@ export const secretSharingServiceFactory = ({
     // If encryptedSecret is set, we know that this secret has been encrypted using KMS, and we can therefore do server-side decryption.
     let decryptedSecretValue: Buffer | undefined;
     if (sharedSecret.encryptedSecret) {
-      const decrypt = await kmsService.decryptWithRootKey();
-
-      decryptedSecretValue = await decrypt({
-        cipherTextBlob: sharedSecret.encryptedSecret
-      });
+      const decryptWithRoot = kmsService.decryptWithRootKey();
+      decryptedSecretValue = decryptWithRoot(sharedSecret.encryptedSecret);
     }
 
     // decrement when we are sure the user will view secret.

backend/src/services/slack/slack-service.ts

@@ -141,16 +141,14 @@ export const slackServiceFactory = ({
     let slackClientId = appCfg.WORKFLOW_SLACK_CLIENT_ID as string;
     let slackClientSecret = appCfg.WORKFLOW_SLACK_CLIENT_SECRET as string;
 
-    const decrypt = await kmsService.decryptWithRootKey();
+    const decrypt = kmsService.decryptWithRootKey();
 
     if (serverCfg.encryptedSlackClientId) {
-      slackClientId = (await decrypt({ cipherTextBlob: Buffer.from(serverCfg.encryptedSlackClientId) })).toString();
+      slackClientId = decrypt(Buffer.from(serverCfg.encryptedSlackClientId)).toString();
     }
 
     if (serverCfg.encryptedSlackClientSecret) {
-      slackClientSecret = (
-        await decrypt({ cipherTextBlob: Buffer.from(serverCfg.encryptedSlackClientSecret) })
-      ).toString();
+      slackClientSecret = decrypt(Buffer.from(serverCfg.encryptedSlackClientSecret)).toString();
     }
 
     if (!slackClientId || !slackClientSecret) {

backend/src/services/super-admin/super-admin-service.ts

@@ -122,20 +122,16 @@ export const superAdminServiceFactory = ({
       }
     }
 
-    const encryptWithRoot = await kmsService.encryptWithRootKey();
+    const encryptWithRoot = kmsService.encryptWithRootKey();
     if (data.slackClientId) {
-      const { cipherTextBlob: encryptedClientId } = await encryptWithRoot({
-        plainText: Buffer.from(data.slackClientId)
-      });
+      const encryptedClientId = encryptWithRoot(Buffer.from(data.slackClientId));
 
       updatedData.encryptedSlackClientId = encryptedClientId;
       updatedData.slackClientId = undefined;
     }
 
     if (data.slackClientSecret) {
-      const { cipherTextBlob: encryptedClientSecret } = await encryptWithRoot({
-        plainText: Buffer.from(data.slackClientSecret)
-      });
+      const encryptedClientSecret = encryptWithRoot(Buffer.from(data.slackClientSecret));
 
       updatedData.encryptedSlackClientSecret = encryptedClientSecret;
       updatedData.slackClientSecret = undefined;
@@ -270,14 +266,14 @@ export const superAdminServiceFactory = ({
     let clientId = "";
     let clientSecret = "";
 
-    const decrypt = await kmsService.decryptWithRootKey();
+    const decrypt = kmsService.decryptWithRootKey();
 
     if (serverCfg.encryptedSlackClientId) {
-      clientId = (await decrypt({ cipherTextBlob: serverCfg.encryptedSlackClientId })).toString();
+      clientId = decrypt(serverCfg.encryptedSlackClientId).toString();
     }
 
     if (serverCfg.encryptedSlackClientSecret) {
-      clientSecret = (await decrypt({ cipherTextBlob: serverCfg.encryptedSlackClientSecret })).toString();
+      clientSecret = decrypt(serverCfg.encryptedSlackClientSecret).toString();
     }
 
     return {