Next.js 15 Edge Web Crypto AES-GCM 加密与密钥治理实践

核心价值使用原生 Web Crypto 实现高性能对称加密，避免第三方依赖。通过 HKDF 进行密钥派生，搭配随机 IV 与认证标签，提升整体安全性。实现export const runtime = 'edge' async function hkdf(secret: string, salt: Uint8Array, info: string) { const enc = new TextEncoder() const ikm = await crypto.subtle.importKey('raw', enc.encode(secret), 'HKDF', false, ['deriveKey']) return crypto.subtle.deriveKey({ name: 'HKDF', hash: 'SHA-256', salt, info: enc.encode(info) }, ikm, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']) } async function encrypt(plain: Uint8Array, key: CryptoKey) { const iv = crypto.getRandomValues(new Uint8Array(12)) const buf = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plain) return { iv: Buffer.from(iv).toString('base64'), data: Buffer.from(buf).toString('base64') } } async function decrypt(payload: { iv: string; data: string }, key: CryptoKey) { const iv = Buffer.from(payload.iv, 'base64') const data = Buffer.from(payload.data, 'base64') const buf = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: new Uint8Array(iv) }, key, new Uint8Array(data)) return new Uint8Array(buf) } export async function POST(req: Request) { const secret = 'master-secret' const salt = crypto.getRandomValues(new Uint8Array(16)) const key = await hkdf(secret, salt, 'v1') const body = new Uint8Array(await req.arrayBuffer()) const enc = await encrypt(body, key) return Response.json({ salt: Buffer.from(salt).toString('base64'), ...enc }, { headers: { 'Cache-Control': 'no-store' } }) } export async function PUT(req: Request) { const json = await req.json() const secret = 'master-secret' const salt = Buffer.from(json.salt, 'base64') const key = await hkdf(secret, new Uint8Array(salt), 'v1') const dec = await decrypt({ iv: json.iv, data: json.data }, key) return new Response(dec, { headers: { 'Content-Type': 'application/octet-stream', 'Cache-Control': 'no-store' } }) } 治理建议主密钥应存储于安全环境变量或 KMS；HKDF 信息串区分版本与用途。IV 使用 12 字节随机值；输出携带 salt/iv/data 并通过 HTTPS 传输。结论原生 Web Crypto 在 Edge 上可实现高性能且安全的对称加密。配合 HKDF 派生与规范参数治理，适合现代前端安全场景。