keycrypt 0.1.0

AES-256-GCM encryption helpers backed by the OS keychain (auto-init key on encrypt, strict decrypt, Zeroize in-memory keys).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

# keycrypt

AES-256-GCM encryption helpers backed by the OS keychain.

`keycrypt` stores a 32-byte master key in the system keychain (via `keyring`) and uses it to
encrypt/decrypt data with `AES-256-GCM`. The key is auto-initialized on first encryption,
and decryption never auto-initializes (it fails if the key is missing).

## Features

- **AES-256-GCM** with a fresh random 12-byte nonce per encryption
- **OS keychain** storage for the master key (no `.env` key required)
- **Safe-ish key handling**: in-memory keys are held in `Zeroizing<[u8; 32]>`
- **Authenticated encryption**: ciphertext includes the GCM authentication tag
- **Stable format**:
  - Current: `v1:nonce_b64:ciphertext_b64`
  - Legacy accepted: `nonce_b64:ciphertext_b64`

## API

- `encrypt()` / `encrypt_bytes()`
  - Ensures the key exists (auto-init on first use)
- `decrypt()` / `decrypt_bytes()`
  - Fails if the key does not exist (no auto-init)
- `init_keychain_key()`
  - Creates a random key in the keychain if missing
- `has_keychain_key()`
  - Checks whether the key exists

## Example

```rust
use keycrypt::{encrypt, decrypt};

let enc = encrypt("hello")?;
let dec = decrypt(enc)?;
assert_eq!(dec, "hello");

# Ok::<(), keycrypt::CryptoError>(())