Skip to main content

EncryptionProvider

lsm_tree::encryption

Trait EncryptionProvider 

Source 
pub trait EncryptionProvider:
    Send
    + Sync
    + UnwindSafe
    + RefUnwindSafe {
    // Required methods
    fn encrypt(&self, plaintext: &[u8]) -> Result<Vec<u8>>;
    fn max_overhead(&self) -> u32;
    fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>>;

    // Provided methods
    fn encrypt_vec(&self, plaintext: Vec<u8>) -> Result<Vec<u8>> { ... }
    fn decrypt_vec(&self, ciphertext: Vec<u8>) -> Result<Vec<u8>> { ... }
}
Expand description

Block encryption provider.

Implementors handle key management, nonce generation, and algorithm selection. The trait is object-safe so it can be stored as Arc<dyn EncryptionProvider>.

§Contract

  • encrypt must be deterministic in output format (but not value — nonces should be random or unique).
  • decrypt must accept the exact byte sequence returned by encrypt and recover the original plaintext.
  • Both methods must be safe to call concurrently from multiple threads.

Required Methods§

Source

fn encrypt(&self, plaintext: &[u8]) -> Result<Vec<u8>>

Encrypt plaintext, returning an opaque ciphertext blob.

The returned bytes may include a nonce/IV prefix and an authentication tag — the layout is provider-defined.

§Errors

Returns crate::Error::Encrypt if the encryption operation fails.

Source

fn max_overhead(&self) -> u32

Maximum number of bytes that encryption adds to a plaintext payload.

Used by block I/O to account for encryption overhead in size validation. For AES-256-GCM this is 28 (12-byte nonce + 16-byte tag).

Returns u32 because block sizes are u32-bounded on disk.

Source

fn decrypt(&self, ciphertext: &[u8]) -> Result<Vec<u8>>

Decrypt ciphertext previously produced by encrypt.

§Errors

Returns crate::Error::Decrypt if the ciphertext is invalid, tampered, or encrypted with a different key.

Provided Methods§

Source

fn encrypt_vec(&self, plaintext: Vec<u8>) -> Result<Vec<u8>>

Encrypt an owned plaintext buffer, reusing its allocation when possible.

The default implementation delegates to encrypt. Providers may override this to avoid an extra allocation by prepending the nonce and appending the tag in-place.

§Errors

Returns crate::Error::Encrypt if the encryption operation fails.

Source

fn decrypt_vec(&self, ciphertext: Vec<u8>) -> Result<Vec<u8>>

Decrypt an owned ciphertext buffer, reusing its allocation when possible.

The default implementation delegates to decrypt. Providers may override this to decrypt in-place, stripping the nonce prefix and tag suffix without a second allocation.

§Errors

Returns crate::Error::Decrypt if the ciphertext is invalid, tampered, or encrypted with a different key.

Implementors§