Struct ZeroKMS

pub struct ZeroKMS<C: Credentials<Token = ServiceToken>, ClientKeyState = ()> { /* private fields */ }

Implementations

impl<C: Credentials<Token = ServiceToken>> ZeroKMS<C>

pub fn new( base_url: &Url, credentials: C, decryption_log_path: Option<&Path>, ) -> Self

Create a new instance of the ZeroKMS client.

In most cases it is prefered to use crate::config::ZeroKMSConfig::create_client instead of calling this manually.

pub fn new_with_client_key( base_url: &Url, credentials: C, decryption_log_path: Option<&Path>, client_key: ClientKey, ) -> ZeroKMSWithClientKey<C>

Create a new instance of the ZeroKMS client with a ClientKey.

In most cases it is prefered to use crate::config::ZeroKMSConfigWithClientKey::create_client instead of calling this manually.

impl<C: Credentials<Token = ServiceToken>, K> ZeroKMS<C, K>

pub fn log_decryptions(&self, records: &[EncryptedRecord], access_token: &str)

pub async fn create_dataset( &self, name: &str, description: &str, ) -> Result<Dataset, Error>

Create a Dataset in ZeroKMS used to encrypt data. The name and description are used to identify the dataset.

pub async fn grant_dataset( &self, client_id: Uuid, dataset_id: Uuid, ) -> Result<(), Error>

Grant a client with the given client_id access to a Dataset with an ID of dataset_id. For this to work, the client must already exist and have access to at least one dayaset.

If you are creating a new client, use Self::create_client instead. Note that the client and dataset must be in the same workspace.

pub async fn revoke_dataset( &self, client_id: Uuid, dataset_id: Uuid, ) -> Result<(), Error>

Revoke a Client with the given client_id access to the Dataset with dataset_id. If the client only has access to one dataset, this is the same as deleting the client.

pub async fn list_datasets(&self) -> Result<Vec<Dataset>, Error>

List all Datasets in ZeroKMS for the current workspace.

pub async fn enable_dataset(&self, dataset_id: Uuid) -> Result<(), Error>

Enable a Dataset by ID if it has been disabled.

pub async fn disable_dataset(&self, dataset_id: Uuid) -> Result<(), Error>

Disable a Dataset by ID.

A disabled dataset will deny all attempts to encrypt and decrypt data.

pub async fn modify_dataset( &self, dataset_id: Uuid, name: Option<&str>, description: Option<&str>, ) -> Result<(), Error>

Modify a Dataset by ID by setting a new name or description.

pub async fn create_client( &self, name: &str, description: &str, dataset_id: Uuid, ) -> Result<CreateClientResponse, Error>

Create a new client for the specified dataset.

Clients are required to generate and retrieve datasets key a specified dataset. Use the ClientKey returned by CreateClientResponse to create a ZeroKMSWithClientKey client that can encrypt and decrypt.

This ClientKey can not be retrieved again after creating the client. So it’s important to keep it somewhere safe.

ClientKey compromise

If you suspect that a ClientKey has been compromised, you should revoke the client and create a new one. See Self::revoke_client for more information.

Create vs Grant

If you are creating a new client, use this method. If you are granting access to an existing client, use Self::grant_dataset instead.

pub async fn list_clients(&self) -> Result<Vec<DatasetClient>, Error>

List clients for the current workspace in ZeroKMS.

pub async fn revoke_client( &self, client_id: Uuid, ) -> Result<RevokeClientResponse, Error>

Revoke a specific client by ID.

Once a client is revoked it can’t be used to generate or retrieve data keys. This method nullifies the ClientKey for the client. Even if an attacker has the ClientKey, they can’t use it to decrypt data.

impl<C: Credentials<Token = ServiceToken>> ZeroKMS<C, ClientKey>

pub async fn save_dataset_config( &self, config: DatasetConfig, ) -> Result<DatasetConfigWithIndexRootKey, Error>

Save a configuration file to the current dataset.

The DatasetConfig is used by Proxy to store index and column encryption configuration.

pub async fn load_dataset_config( &self, ) -> Result<DatasetConfigWithIndexRootKey, Error>

Retrieve the DatasetConfig for the current dataset.

pub async fn encrypt( &self, payloads: impl IntoIterator<Item = EncryptPayload<'_>>, dataset_id: Option<Uuid>, ) -> Result<Vec<EncryptedRecord>, Error>

Encrypt a stream of EncryptPayload and return them as an EncryptedRecord. Note that this only works when Self is a ZeroKMSWithClientKey client.

pub async fn encrypt_single( &self, payload: EncryptPayload<'_>, dataset_id: Option<Uuid>, ) -> Result<EncryptedRecord, Error>

Encrypt a single EncryptPayload. Note that this only works when Self is a ZeroKMSWithClientKey client.

pub async fn decrypt( &self, payloads: impl IntoIterator<Item = EncryptedRecord>, ) -> Result<Vec<Vec<u8>>, Error>

Decrypt a stream of EncryptedRecord and return the raw decrypted binary blob. Note that this only works when Self is a ZeroKMSWithClientKey client.

pub async fn decrypt_single( &self, payload: EncryptedRecord, ) -> Result<Vec<u8>, Error>

Decrypt a single EncryptedRecord. Note that this only works when Self is a ZeroKMSWithClientKey client.