Crate const_secret

Expand description

A no_std crate for compile-time encrypted secrets.

This crate provides encrypted storage for sensitive data that is encrypted at compile time and only decrypted at runtime when accessed. This prevents secrets from appearing in plaintext in the final binary.

§Features

Compile-time encryption: Secrets are encrypted during compilation
Multiple algorithms: XOR (simple, fast) and RC4 (stream cipher)
Drop strategies: Control what happens to decrypted data on drop:
- Zeroize: Overwrites memory with zeros
- ReEncrypt: Re-encrypts the data
- NoOp: Leaves data unchanged
Thread-safe: Sync implementation allows concurrent access
no_std compatible: Works in embedded environments

§Examples

§XOR Algorithm

XOR is the simplest and fastest algorithm. It uses a single-byte key:

use const_secret::{
    Encrypted, StringLiteral,
    drop_strategy::Zeroize,
    xor::{ReEncrypt, Xor},
};

// Zeroize on drop (safest - clears memory)
const SECRET_ZEROIZE: Encrypted<Xor<0xAA, Zeroize>, StringLiteral, 5> =
    Encrypted::<Xor<0xAA, Zeroize>, StringLiteral, 5>::new(*b"hello");

// Re-encrypt on drop (good for frequently accessed secrets)
const SECRET_REENCRYPT: Encrypted<Xor<0xBB, ReEncrypt<0xBB>>, StringLiteral, 6> =
    Encrypted::<Xor<0xBB, ReEncrypt<0xBB>>, StringLiteral, 6>::new(*b"secret");

// No-op on drop (fastest, but leaves data in memory)
const SECRET_NOOP: Encrypted<Xor<0xCC, Zeroize>, StringLiteral, 4> =
    Encrypted::<Xor<0xCC, Zeroize>, StringLiteral, 4>::new(*b"test");

§RC4 Algorithm

RC4 is a stream cipher with variable-length keys (1-256 bytes). Note: RC4 is cryptographically broken; use only for basic obfuscation:

use const_secret::{
    Encrypted, StringLiteral, ByteArray,
    drop_strategy::Zeroize,
    rc4::{ReEncrypt, Rc4},
};

const KEY: [u8; 16] = *b"my-secret-key-16";

// RC4 with zeroize drop strategy
const RC4_SECRET: Encrypted<Rc4<16, Zeroize<[u8; 16]>>, StringLiteral, 6> =
    Encrypted::<Rc4<16, Zeroize<[u8; 16]>>, StringLiteral, 6>::new(*b"rc4sec", KEY);

// RC4 with re-encrypt drop strategy
const RC4_REENCRYPT: Encrypted<Rc4<16, ReEncrypt<16>>, StringLiteral, 8> =
    Encrypted::<Rc4<16, ReEncrypt<16>>, StringLiteral, 8>::new(*b"rc4data!", KEY);

§Usage Modes

§`StringLiteral` Mode

For UTF-8 string data. Returns &str on dereference:

use const_secret::{
    Encrypted, StringLiteral,
    drop_strategy::Zeroize,
    xor::Xor,
};

const API_KEY: Encrypted<Xor<0xAA, Zeroize>, StringLiteral, 34> =
    Encrypted::<Xor<0xAA, Zeroize>, StringLiteral, 34>::new(
        *b"sk-live-1234567890abcdefghijklmnop"
    );

fn main() {
    let key: &str = &*API_KEY;
    assert_eq!(key, "sk-live-1234567890abcdefghijklmnop");
}

§`ByteArray` Mode

For binary data. Returns &[u8; N] on dereference:

use const_secret::{
    Encrypted, ByteArray,
    drop_strategy::Zeroize,
    xor::Xor,
};

const BINARY_SECRET: Encrypted<Xor<0xBB, Zeroize>, ByteArray, 16> =
    Encrypted::<Xor<0xBB, Zeroize>, ByteArray, 16>::new([
        0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
        0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
    ]);

fn main() {
    let data: &[u8; 16] = &*BINARY_SECRET;
    assert_eq!(data[0], 0x01);
}

§Choosing an Algorithm

Algorithm	Speed	Security	Use Case
XOR	Fast	Basic	Simple obfuscation, speed critical
RC4	Medium	Broken	Variable key length, slightly better obfuscation

§Drop Strategies

Strategy	Behavior on Drop	Best For
`Zeroize`	Overwrites with zeros	Maximum security
`ReEncrypt`	Re-encrypts data	If you prefer the residue to remain encrypted after using
`NoOp`	Leaves unchanged	Performance critical, non-sensitive

§Architecture

The crate uses a type-level architecture:

Algorithm: Trait defining encryption algorithm and associated data
Encrypted<A, M, N>: Main struct holding encrypted data
DropStrategy: Trait for handling drop behavior
Mode markers: StringLiteral and ByteArray

Modules§

align: Alignment wrapper types for forcing specific memory alignment.
drop_strategy: Drop strategies for handling encrypted data when it goes out of scope.
rc4: RC4 stream cipher algorithm implementation.
xor: XOR encryption algorithm implementation.

Structs§

ByteArray: Mode marker type indicating the encrypted data should be treated as a byte array.
Encrypted: An encrypted container that holds data encrypted at compile time.
StringLiteral: Mode marker type indicating the encrypted data should be treated as a UTF-8 string literal.

Traits§

Algorithm: A trait that defines an encryption algorithm and its associated types.