dugout 0.1.3

A local secrets manager for development teams, written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

//! Cryptographic operations.
//!
//! Provides encryption/decryption abstraction and implementations.
//! Supports multiple backends: age (default), AWS KMS, GCP KMS, and GPG.
//!
//! ## Backends
//!
//! - **age**: Default, always available. Uses x25519 public-key encryption.
//! - **AWS KMS**: Feature-gated (`aws`). Uses AWS Key Management Service.
//! - **GCP KMS**: Feature-gated (`gcp`). Uses Google Cloud KMS via gcloud CLI.
//! - **GPG**: Feature-gated (`gpg`). Uses GnuPG via gpg CLI.
//!
//! ## Adding a New Backend
//!
//! 1. Implement the `Cipher` trait
//! 2. Add the implementation in a new file (e.g., `kms.rs`, `gpg.rs`)
//! 3. Feature-gate if appropriate
//! 4. Re-export from this module

use crate::error::Result;
use ::age::x25519;

mod age;
mod backend;

#[cfg(feature = "aws")]
pub mod aws;

#[cfg(feature = "gcp")]
pub mod gcp;

#[cfg(feature = "gpg")]
pub mod gpg;

pub use age::{parse_recipient, Age};
pub use backend::CipherBackend;

/// Cryptographic backend trait
///
/// Abstracts encryption and decryption operations to support
/// multiple cryptographic backends (age, KMS, GPG, etc.).
///
/// Recipients are backend-specific:
/// - age: public keys (age1...)
/// - AWS KMS: key ARNs or IDs
/// - GCP KMS: resource names (projects/.../cryptoKeys/...)
/// - GPG: key fingerprints or email addresses
pub trait Cipher {
    /// Type representing a recipient public key
    type Recipient;

    /// Type representing a private identity/key
    type Identity;

    /// Encrypt plaintext for multiple recipients
    ///
    /// # Errors
    ///
    /// Returns `CipherError` if encryption fails.
    fn encrypt(&self, plaintext: &str, recipients: &[Self::Recipient]) -> Result<String>;

    /// Decrypt an encrypted string using a private identity
    ///
    /// # Errors
    ///
    /// Returns `CipherError` if decryption fails.
    fn decrypt(&self, encrypted: &str, identity: &Self::Identity) -> Result<String>;

    /// Backend name for display/config
    #[allow(dead_code)]
    fn name(&self) -> &'static str;
}

// Re-export commonly used age types for convenience (used by internal modules)
#[allow(unused_imports)]
pub use ::age::x25519::{Identity, Recipient};

// Convenience functions using the default age backend
/// Encrypt plaintext for multiple age recipients
///
/// Convenience wrapper around `Age::encrypt`.
///
/// # Errors
///
/// Returns `CipherError` if encryption fails.
pub fn encrypt(plaintext: &str, recipients: &[x25519::Recipient]) -> Result<String> {
    Age.encrypt(plaintext, recipients)
}

/// Decrypt an age-encrypted string using a private identity
///
/// Convenience wrapper around `Age::decrypt`.
///
/// # Errors
///
/// Returns `CipherError` if decryption fails or the key doesn't match.
pub fn decrypt(encrypted: &str, identity: &x25519::Identity) -> Result<String> {
    Age.decrypt(encrypted, identity)
}