Skip to main content

Crate cipherstash_client

Crate cipherstash_client 

Expand description

§CipherStash Client SDK

Crates.io Version docs.rs Built by CipherStash

Website | Docs | Discussions

The CipherStash SDK is the main way of interacting with CipherStash services. It includes clients for talking to ZeroKMS, CipherStash Token Service (CTS) and the services used to power Audit.

It also contains all the indexing and encryption logic used in CipherStash products.

§Getting Started

To get started add the cipherstash-client dependency to your Cargo.toml

[dependencies]
cipherstash-client = "0.34.0"

§Creating a ZeroKMS Client

Use [ZeroKMSBuilder] to create a new ZeroKMS client. With this you can:

  • Manage keysets, config and clients
  • Encrypt and decrypt data
use cipherstash_client::zerokms::ZeroKMSBuilder;

#[tokio::main]
async fn main() {
    let client = ZeroKMSBuilder::auto()
        .expect("failed to detect credentials")
        .build()
        .expect("failed to build client");

    let keyset = client.create_keyset("users", "A keyset used to encrypt my users' information")
        .await
        .expect("failed to create keyset");
}

§Creating a CTS Client

Use CtsClient to manage access keys and identity tokens:

use cipherstash_client::{CtsClient, Region, WorkspaceId};
use cts_common::claims::Role;
use stack_auth::{AccessKey, AccessKeyStrategy};

#[tokio::main]
async fn main() {
    let region = Region::aws("ap-southeast-2").unwrap();
    let key: AccessKey = "CSAKmyKeyId.myKeySecret".parse().unwrap();
    let strategy = AccessKeyStrategy::new(region, key).unwrap();
    let client = CtsClient::new(strategy);

    let workspace_id = WorkspaceId::try_from("E4UMRN47WJNSMAKR").expect("Valid ID");
    let access_key = client.create_access_key("Test Access Key", workspace_id, Role::Admin)
        .await
        .expect("failed to create access key");
}

Re-exports§

pub use cts_client::CTSClient;
pub use cts_client::CtsClient;
pub use cts_client::CtsClientError;
pub use zerokms::EnvKeyProvider;
pub use zerokms::FallbackKeyProvider;
pub use zerokms::KeyProvider;
pub use zerokms::KeyProviderError;
pub use zerokms::StaticKeyProvider;
pub use zerokms::WithKeyProvider;
pub use zerokms::ZeroKMS;
pub use zerokms_protocol::cipherstash_config as schema;

Modules§

config
Module for structs used to configure various internal service clients.
credentials
Module for credential providers for various internal services.
cts_client
Module for the CipherStash Token Service client library
ejsonpath
ejsonpath is a parser and evaluator for a subset of JSONPath.
encryption
Module for CipherStash encryption schemes and indexers
eql
Types for representing EQL payloads, and encryption/decryption functions.
logger_client
Module for interacting with the CipherStash Logging and Audit API.
management
Module for the client library for managing customer hosted resources
reqwest_client
Module with a reusable reqwest client with built in retry and tracing logic
zerokms
The zerokms module provides a client for interacting with the ZeroKMS service.

Structs§

AutoStrategyBuilder
Builder for configuring credential resolution before calling detect().
Crn
Represents CRNs (CipherStash Resource Names)
Name
The unique name of a resource (within some scope: e.g. a workspace).
SecretToken
A sensitive token string that is zeroized on drop and hidden from debug output.
ServiceToken
A CipherStash service token returned by an AuthStrategy.
UnverifiedContext
A loose, schema‑free context map that can carry scalars, arrays, and nested maps.
WorkspaceId
A unique identifier for a workspace. Workspace IDs are 10-byte random strings formatted in base32.

Enums§

AuthError
Errors that can occur during an authentication flow.
AutoStrategy
An AuthStrategy that automatically detects available credentials and delegates to the appropriate inner strategy.
AwsRegion
IdentifiedBy
A UUID or textual name that can uniquely identify a resource. Whereas a UUID is a global identifier, name is not implied to be globally unique, but unique within scope implied scope: e.g. a workspace.
Region
Defines the region of a CipherStash service. A region in CipherStash is defined by the region identifier and the provider separated by a dot. For example, us-west-2.aws is a valid region identifier and refers to the AWS region us-west-2.
RegionError
UnverifiedContextValue
Any JSON value we need to handle.

Traits§

AuthStrategy
A strategy for obtaining access tokens.