Skip to main content

Crate cortexai_encryption

Crate cortexai_encryption 

Source
Expand description

At-rest encryption for sensitive data in cortex.

This crate provides encryption primitives for protecting sessions, checkpoints, and other sensitive data at rest. It supports:

  • AES-256-GCM authenticated encryption (default)
  • ChaCha20-Poly1305 authenticated encryption (optional)
  • Argon2id password-based key derivation
  • Key rotation via versioned keys and envelope encryption
  • Secure memory handling with automatic zeroing

§Quick Start

use cortexai_encryption::{EncryptionKey, EnvelopeEncryptor, DataEncryptor};

// Generate a random 256-bit key
let key = EncryptionKey::generate(32);

// Create an encryptor
let encryptor = EnvelopeEncryptor::new(key);

// Encrypt structured data
let secret = serde_json::json!({"user": "alice", "token": "secret123"});
let ciphertext = encryptor.encrypt_data(&secret).unwrap();

// Decrypt
let decrypted: serde_json::Value = encryptor.decrypt_data(&ciphertext).unwrap();
assert_eq!(secret, decrypted);

§Key Derivation

For password-based encryption:

use cortexai_encryption::{Argon2KeyDerivation, KeyDerivation, EnvelopeEncryptor};

let kdf = Argon2KeyDerivation::new();
let salt = kdf.generate_salt(16);
let key = kdf.derive_encryption_key(b"user-password", &salt, 32).unwrap();

let encryptor = EnvelopeEncryptor::new(key);

§Key Rotation

use cortexai_encryption::{EncryptionKey, EnvelopeEncryptor};

let key1 = EncryptionKey::generate(32);
let mut encryptor = EnvelopeEncryptor::new(key1);

// Encrypt with v1
let ciphertext = encryptor.encrypt(b"secret", None).unwrap();

// Rotate to v2
let key2 = EncryptionKey::generate(32);
encryptor.rotate_key(key2);

// Old ciphertext still decrypts (key v1 retained)
let plaintext = encryptor.decrypt(&ciphertext, None).unwrap();

// Re-encrypt with new key
let new_ciphertext = encryptor.re_encrypt(&ciphertext, None).unwrap();

§Store Wrappers

For encrypting session and checkpoint stores:

use cortexai_encryption::{EncryptedSessionStore, EncryptedCheckpointStore};

// Wrap existing stores with encryption
let encrypted_sessions = EncryptedSessionStore::new(session_store, encryptor.clone());
let encrypted_checkpoints = EncryptedCheckpointStore::new(checkpoint_store, encryptor);

Re-exports§

pub use error::CryptoError;
pub use error::CryptoResult;
pub use key::Argon2KeyDerivation;
pub use key::EncryptionKey;
pub use key::KeyRing;
pub use key::VersionedKey;
pub use traits::Cipher;
pub use traits::DataEncryptor;
pub use traits::KeyDerivation;
pub use aes_cipher::Aes256GcmCipher;
pub use envelope::EnvelopeEncryptor;
pub use stores::EncryptedCheckpointStore;
pub use stores::EncryptedSessionStore;

Modules§

aes_cipher
AES-256-GCM authenticated encryption implementation.
envelope
Envelope encryption with key versioning support.
error
Error types for encryption operations.
key
Encryption key management and derivation.
stores
Encrypted store wrappers for sessions and checkpoints.
traits
Core traits for encryption operations.