Struct Manager

pub struct Manager<'k> {
    pub kms_manager: &'k Manager,
    pub kms_key_id: String,
    /* private fields */
}

Implements envelope encryption manager.

Fields

kms_manager: &'k Manager

kms_key_id: String

Implementations

impl<'k> Manager<'k>

pub fn new( kms_manager: &'k Manager, kms_key_id: String, aad_tag: String, ) -> Self

Creates a new envelope encryption manager.

pub async fn seal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>

Envelope-encrypts the data using AWS KMS data-encryption key (DEK) and “AES_256_GCM” because kms:Encrypt can only encrypt 4 KiB.

The encrypted data are aligned as below: [ Nonce bytes “length” ][ DEK.ciphertext “length” ][ Nonce bytes ][ DEK.ciphertext ][ data ciphertext ]

ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html

pub async fn unseal_aes_256(&self, d: &[u8]) -> Result<Vec<u8>>

Envelope-decrypts using KMS DEK and “AES_256_GCM”.

Assume the input (ciphertext) data are packed in the order of: [ Nonce bytes “length” ][ DEK.ciphertext “length” ][ Nonce bytes ][ DEK.ciphertext ][ data ciphertext ]

ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html ref. https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html

pub async fn seal_aes_256_file( &self, src_file: &str, dst_file: &str, ) -> Result<()>

Envelope-encrypts data from a file and save the ciphertext to the other file.

“If a single piece of data must be accessible from more than one task concurrently, then it must be shared using synchronization primitives such as Arc.” ref. https://tokio.rs/tokio/tutorial/spawning

pub async fn unseal_aes_256_file( &self, src_file: &str, dst_file: &str, ) -> Result<()>

Envelope-decrypts data from a file and save the plaintext to the other file.

pub async fn compress_seal(&self, src_file: &str, dst_file: &str) -> Result<()>

Compresses the source file (“src_file”) and envelope-encrypts to “dst_file”. The compression uses “zstd”. The encryption uses AES 256.

pub async fn unseal_decompress( &self, src_file: &str, dst_file: &str, ) -> Result<()>

Reverse of “compress_seal”. The decompression uses “zstd”. The decryption uses AES 256.

pub async fn compress_seal_put_object( &self, s3_manager: &Manager, source_file_path: &str, s3_bucket: &str, s3_key: &str, ) -> Result<()>

Compresses the file, encrypts, and uploads to S3.

pub async fn get_object_unseal_decompress( &self, s3_manager: &Manager, s3_bucket: &str, s3_key: &str, download_file_path: &str, overwrite: bool, ) -> Result<()>

Reverse of “compress_seal_put_object”.

Trait Implementations

impl<'k> Clone for Manager<'k>

fn clone(&self) -> Manager<'k>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.