"机密与密钥管理（KMS与Vault）实施指南与运维最佳实践"

机密与密钥管理（KMS与Vault）实施指南与运维最佳实践概述通过集中式KMS与Vault实现密钥最小暴露、自动轮转与按需发放，降低泄露与长期凭证风险。信封加密import { randomBytes, createCipheriv, createDecipheriv } from 'crypto' type CipherText = { iv: string; tag: string; data: string } function encryptWithDataKey(plain: Buffer, dataKey: Buffer): CipherText { const iv = randomBytes(12) const cipher = createCipheriv('aes-256-gcm', dataKey, iv) const enc = Buffer.concat([cipher.update(plain), cipher.final()]) const tag = cipher.getAuthTag() return { iv: iv.toString('base64url'), tag: tag.toString('base64url'), data: enc.toString('base64url') } } function decryptWithDataKey(ct: CipherText, dataKey: Buffer): Buffer { const iv = Buffer.from(ct.iv, 'base64url') const tag = Buffer.from(ct.tag, 'base64url') const data = Buffer.from(ct.data, 'base64url') const decipher = createDecipheriv('aes-256-gcm', dataKey, iv) decipher.setAuthTag(tag) return Buffer.concat([decipher.update(data), decipher.final()]) } 动态凭证与TTLclass SecretLease { value: string expiresAt: number constructor(value: string, ttlMs: number) { this.value = value; this.expiresAt = Date.now() + ttlMs } valid(): boolean { return Date.now() < this.expiresAt } } class SecretCache { store = new Map<string, SecretLease>() async get(key: string, fetcher: () => Promise<{ value: string; ttlMs: number }>): Promise<string> { const cur = this.store.get(key) if (cur && cur.valid()) return cur.value const next = await fetcher() const lease = new SecretLease(next.value, next.ttlMs) this.store.set(key, lease) return lease.value } } 轮转与审计将主密钥托管在KMS/HSM，应用侧仅使用短期数据密钥通过Vault动态发放数据库与云凭证，设置最短TTL与自动撤销记录获取、解密与轮转操作的审计事件并最小化可见范围以上方案在常见Web与微服务环境中可实现低暴露与可审计的机密管理体系。