/// <reference types="node" />
import { KMSClient } from '@aws-sdk/client-kms';
import { S3Client } from '@aws-sdk/client-s3';
import { EncryptDecrypt, EncryptedData, EncryptionParams, SecureStore, SecureVersion } from '@paradoxical-io/common-server';
import { Brand } from '@paradoxical-io/types';
import { Monitoring } from '../monitoring';
export type DEK = Brand<string, 'DataEncryptionKey'>;
/**
 * Encrypted params that are encrypted by KMS
 */
type DEKParams = Omit<EncryptionParams, 'key'> & {
    key: DEK;
};
export interface Envelope {
    params: DEKParams;
    payload: EncryptedData;
}
/**
 * SecureStore wraps envelope encryption for blobs in s3 with KMS keys.  It encrypts every payload
 * with a unique data encryption key, and wraps that key with a master KMS key (the key encryption key)
 */
export declare class S3SecureStore implements SecureStore {
    private readonly crypto;
    private readonly s3Bucket;
    private readonly s3;
    private readonly kmsKeyID;
    private readonly kms;
    private readonly logger;
    constructor({ kms, kmsKeyID, s3, s3Bucket, crypto, monitoring, }: {
        kms?: KMSClient;
        kmsKeyID: string;
        s3?: S3Client;
        s3Bucket: string;
        crypto?: EncryptDecrypt;
        monitoring?: Monitoring;
    });
    set(key: string, data: Buffer): Promise<void>;
    exists(key: string, version?: string): Promise<boolean>;
    remove(key: string): Promise<void>;
    get(key: string, version?: string): Promise<Buffer | undefined>;
    versions(key: string): Promise<SecureVersion[]>;
}
export {};
//# sourceMappingURL=secure.d.ts.map