keycrypt 0.2.0

AES-256-GCM encryption helpers backed by the OS keychain (auto-init key on encrypt, strict decrypt, Zeroize in-memory keys).
Documentation

keycrypt

AES-256-GCM encryption helpers backed by the OS keychain.

keycrypt stores a 32-byte master key in the system keychain (via keyring) and uses it to encrypt/decrypt data with AES-256-GCM. The key is auto-initialized on first encryption, and decryption never auto-initializes (it fails if the key is missing).

Features

  • AES-256-GCM with a fresh random 12-byte nonce per encryption
  • OS keychain storage for the master key (no .env key required)
  • Safe-ish key handling: in-memory keys are held in Zeroizing<[u8; 32]>
  • Authenticated encryption: ciphertext includes the GCM authentication tag
  • Stable format:
    • Current: v1:nonce_b64:ciphertext_b64
    • Legacy accepted: nonce_b64:ciphertext_b64

API

  • encrypt() / encrypt_bytes()
    • Ensures the key exists (auto-init on first use)
  • decrypt() / decrypt_bytes()
    • Fails if the key does not exist (no auto-init)
  • init_keychain_key()
    • Creates a random key in the keychain if missing
  • has_keychain_key()
    • Checks whether the key exists

Example

use keycrypt::{encrypt, decrypt};

let enc = encrypt("hello")?;
let dec = decrypt(enc)?;
assert_eq!(dec, "hello");

# Ok::<(), keycrypt::CryptoError>(())