Feature request: Add support to bring custom encryption provider in DataMasking utility

[leandrodamascena]

Use case

Currently, the DataMasking utility only supports using AWS Encryption SDK as the encryption provider. Some customers want an alternative to bringing their providers and leveraging existing mechanisms to encrypt/decrypt their data.

Solution/User Experience

Add support to bring external encrypt/decrypt providers.

Alternative solutions

No response

Acknowledgment

• [X] This feature request meets Powertools for AWS Lambda (Python) Tenets
• [ ] Should this be considered in other Powertools for AWS Lambda languages? i.e. Java, TypeScript, and .NET

[leandrodamascena]

Hello @heitorlessa and @seshubaws! The AWS Encryption SDK allows you to bring your own RSA/AES key to encrypt/decrypt data with them. We don't have to worry about creating our own implementation of a provider and dealing with things like caching, wrapping the key into a data key, and things like that. Another idea was to create a base class for a provider and allow clients to bring in their providers, but it's quite difficult for most clients. I don't see a customer writing a provider on top of Powertools with complex logic; most of those customers who could do this already have this implementation in place, I think.

We can create an implementation on top of RawMasterKeyProvider with a good developer experience. I have a code working in my local environment and we should schedule a meeting for the next week and we can go through it and discuss ideas.

Thanks