Struct aws_manager::kms::envelope::Manager
source · Expand description
Implements envelope encryption manager.
Fields§
§kms_manager: Manager§kms_key_id: StringImplementations§
source§impl Manager
impl Manager
sourcepub fn new(kms_manager: Manager, kms_key_id: String, aad_tag: String) -> Self
pub fn new(kms_manager: Manager, kms_key_id: String, aad_tag: String) -> Self
Creates a new envelope encryption manager.
sourcepub async fn seal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>
pub async fn seal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>
Envelope-encrypts the data using AWS KMS data-encryption key (DEK) and “AES_256_GCM” because kms:Encrypt can only encrypt 4 KiB.
The encrypted data are aligned as below: [ Nonce bytes “length” ][ DEK.ciphertext “length” ][ Nonce bytes ][ DEK.ciphertext ][ data ciphertext ]
ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html
Examples found in repository?
src/kms/envelope.rs (line 327)
311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
pub async fn seal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>,
) -> Result<()> {
log::info!("envelope-encrypting file {} to {}", src_file, dst_file);
let d = match fs::read(src_file.to_string()) {
Ok(d) => d,
Err(e) => {
return Err(Other {
message: format!("failed read {:?}", e),
is_retryable: false,
});
}
};
let ciphertext = match self.seal_aes_256(&d).await {
Ok(d) => d,
Err(e) => {
return Err(e);
}
};
let mut f = match File::create(dst_file.to_string()) {
Ok(f) => f,
Err(e) => {
return Err(Other {
message: format!("failed File::create {:?}", e),
is_retryable: false,
});
}
};
match f.write_all(&ciphertext) {
Ok(_) => {}
Err(e) => {
return Err(Other {
message: format!("failed File::write_all {:?}", e),
is_retryable: false,
});
}
};
Ok(())
}sourcepub async fn unseal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>
pub async fn unseal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>
Envelope-decrypts using KMS DEK and “AES_256_GCM”.
Assume the input (ciphertext) data are packed in the order of: [ Nonce bytes “length” ][ DEK.ciphertext “length” ][ Nonce bytes ][ DEK.ciphertext ][ data ciphertext ]
ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
Examples found in repository?
src/kms/envelope.rs (line 373)
357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400
pub async fn unseal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>,
) -> Result<()> {
log::info!("envelope-decrypting file {} to {}", src_file, dst_file);
let d = match fs::read(src_file.to_string()) {
Ok(d) => d,
Err(e) => {
return Err(Other {
message: format!("failed read {:?}", e),
is_retryable: false,
});
}
};
let plaintext = match self.unseal_aes_256(&d).await {
Ok(d) => d,
Err(e) => {
return Err(e);
}
};
let mut f = match File::create(dst_file.to_string()) {
Ok(f) => f,
Err(e) => {
return Err(Other {
message: format!("failed File::create {:?}", e),
is_retryable: false,
});
}
};
match f.write_all(&plaintext) {
Ok(_) => {}
Err(e) => {
return Err(Other {
message: format!("failed File::write_all {:?}", e),
is_retryable: false,
});
}
};
Ok(())
}sourcepub async fn seal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
pub async fn seal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
Envelope-encrypts data from a file and save the ciphertext to the other file.
“If a single piece of data must be accessible from more than one task concurrently, then it must be shared using synchronization primitives such as Arc.” ref. https://tokio.rs/tokio/tutorial/spawning
Examples found in repository?
src/kms/envelope.rs (line 418)
405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469
pub async fn compress_seal(&self, src_file: Arc<String>, dst_file: Arc<String>) -> Result<()> {
log::info!("compress-seal: compressing the file '{}'", src_file);
let compressed_path = random_manager::tmp_path(10, None).unwrap();
compress_manager::pack_file(&src_file.to_string(), &compressed_path, Encoder::Zstd(3))
.map_err(|e| Other {
message: format!("failed compression {}", e),
is_retryable: false,
})?;
log::info!(
"compress-seal: sealing the compressed file '{}'",
compressed_path
);
self.seal_aes_256_file(Arc::new(compressed_path), dst_file.clone())
.await
}
/// Reverse of "compress_seal".
/// The decompression uses "zstd".
/// The decryption uses AES 256.
pub async fn unseal_decompress(
&self,
src_file: Arc<String>,
dst_file: Arc<String>,
) -> Result<()> {
log::info!(
"unseal-decompress: unsealing the encrypted file '{}'",
src_file.as_ref()
);
let unsealed_path = random_manager::tmp_path(10, None).unwrap();
self.unseal_aes_256_file(src_file.clone(), Arc::new(unsealed_path.clone()))
.await?;
log::info!(
"unseal-decompress: decompressing the file '{}'",
src_file.as_ref()
);
compress_manager::unpack_file(&unsealed_path, dst_file.as_ref(), Decoder::Zstd).map_err(
|e| Other {
message: format!("failed decompression {}", e),
is_retryable: false,
},
)
}
}
fn zero_vec(n: usize) -> Vec<u8> {
(0..n).map(|_| 0).collect()
}
pub async fn spawn_seal_aes_256_file<S>(envelope: Manager, src_file: S, dst_file: S) -> Result<()>
where
S: AsRef<str>,
{
let envelope_arc = Arc::new(envelope);
let src_file_arc = Arc::new(src_file.as_ref().to_string());
let dst_file_arc = Arc::new(dst_file.as_ref().to_string());
tokio::spawn(async move {
envelope_arc
.seal_aes_256_file(src_file_arc, dst_file_arc)
.await
})
.await
.expect("failed spawn await")
}sourcepub async fn unseal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
pub async fn unseal_aes_256_file(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
Envelope-decrypts data from a file and save the plaintext to the other file.
Examples found in repository?
src/kms/envelope.rs (line 435)
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485
pub async fn unseal_decompress(
&self,
src_file: Arc<String>,
dst_file: Arc<String>,
) -> Result<()> {
log::info!(
"unseal-decompress: unsealing the encrypted file '{}'",
src_file.as_ref()
);
let unsealed_path = random_manager::tmp_path(10, None).unwrap();
self.unseal_aes_256_file(src_file.clone(), Arc::new(unsealed_path.clone()))
.await?;
log::info!(
"unseal-decompress: decompressing the file '{}'",
src_file.as_ref()
);
compress_manager::unpack_file(&unsealed_path, dst_file.as_ref(), Decoder::Zstd).map_err(
|e| Other {
message: format!("failed decompression {}", e),
is_retryable: false,
},
)
}
}
fn zero_vec(n: usize) -> Vec<u8> {
(0..n).map(|_| 0).collect()
}
pub async fn spawn_seal_aes_256_file<S>(envelope: Manager, src_file: S, dst_file: S) -> Result<()>
where
S: AsRef<str>,
{
let envelope_arc = Arc::new(envelope);
let src_file_arc = Arc::new(src_file.as_ref().to_string());
let dst_file_arc = Arc::new(dst_file.as_ref().to_string());
tokio::spawn(async move {
envelope_arc
.seal_aes_256_file(src_file_arc, dst_file_arc)
.await
})
.await
.expect("failed spawn await")
}
pub async fn spawn_unseal_aes_256_file<S>(envelope: Manager, src_file: S, dst_file: S) -> Result<()>
where
S: AsRef<str>,
{
let envelope_arc = Arc::new(envelope);
let src_file_arc = Arc::new(src_file.as_ref().to_string());
let dst_file_arc = Arc::new(dst_file.as_ref().to_string());
tokio::spawn(async move {
envelope_arc
.unseal_aes_256_file(src_file_arc, dst_file_arc)
.await
})
.await
.expect("failed spawn await")
}sourcepub async fn compress_seal(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
pub async fn compress_seal(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
Compresses the source file (“src_file”) and envelope-encrypts to “dst_file”. The compression uses “zstd”. The encryption uses AES 256.
Examples found in repository?
More examples
src/s3.rs (lines 463-466)
449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484
pub async fn compress_seal_put_object(
&self,
envelope_manager: Arc<envelope::Manager>,
source_file_path: Arc<String>,
s3_bucket: Arc<String>,
s3_key: Arc<String>,
) -> Result<()> {
log::info!(
"compress-seal-put-object: compress and seal '{}'",
source_file_path.as_str()
);
let tmp_compressed_sealed_path = random_manager::tmp_path(10, None).unwrap();
envelope_manager
.compress_seal(
source_file_path.clone(),
Arc::new(tmp_compressed_sealed_path.clone()),
)
.await?;
log::info!(
"compress-seal-put-object: upload object '{}'",
tmp_compressed_sealed_path
);
self.put_object(
Arc::new(tmp_compressed_sealed_path.clone()),
s3_bucket.clone(),
s3_key.clone(),
)
.await?;
fs::remove_file(tmp_compressed_sealed_path).map_err(|e| API {
message: format!("failed remove_file tmp_compressed_sealed_path: {}", e),
is_retryable: false,
})
}sourcepub async fn unseal_decompress(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
pub async fn unseal_decompress(
&self,
src_file: Arc<String>,
dst_file: Arc<String>
) -> Result<()>
Reverse of “compress_seal”. The decompression uses “zstd”. The decryption uses AES 256.
Examples found in repository?
src/kms/envelope.rs (line 508)
499 500 501 502 503 504 505 506 507 508 509 510 511 512 513
pub async fn spawn_unseal_decompress<S>(envelope: Manager, src_file: S, dst_file: S) -> Result<()>
where
S: AsRef<str>,
{
let envelope_arc = Arc::new(envelope);
let src_file_arc = Arc::new(src_file.as_ref().to_string());
let dst_file_arc = Arc::new(dst_file.as_ref().to_string());
tokio::spawn(async move {
envelope_arc
.unseal_decompress(src_file_arc, dst_file_arc)
.await
})
.await
.expect("failed spawn await")
}More examples
src/s3.rs (lines 513-516)
487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523
pub async fn get_object_unseal_decompress(
&self,
envelope_manager: Arc<envelope::Manager>,
s3_bucket: Arc<String>,
s3_key: Arc<String>,
download_file_path: Arc<String>,
) -> Result<()> {
log::info!(
"get-object-unseal-decompress: downloading object {}/{}",
s3_bucket.as_str(),
s3_key.as_str()
);
let tmp_downloaded_path = random_manager::tmp_path(10, None).unwrap();
self.get_object(
s3_bucket.clone(),
s3_key.clone(),
Arc::new(tmp_downloaded_path.clone()),
)
.await?;
log::info!(
"get-object-unseal-decompress: unseal and decompress '{}'",
tmp_downloaded_path
);
envelope_manager
.unseal_decompress(
Arc::new(tmp_downloaded_path.clone()),
download_file_path.clone(),
)
.await?;
fs::remove_file(tmp_downloaded_path).map_err(|e| API {
message: format!("failed remove_file tmp_downloaded_path: {}", e),
is_retryable: false,
})
}