sealable
Password-to-sealed-string encryption for secrets — portable, versioned, pluggable.
sealable turns any small secret (API key, database password, token) into a single, URL-safe string protected by a passphrase.
The sealed string is self-contained, versioned, and easy to store in config files, environment variables, or secret stores.
Why use sealable?
Secrets often require manually managing salts, nonces, and encoding while wiring together low-level cryptography primitives.
sealable provides:
- A simple API for encrypting and decrypting passphrase-protected secrets.
- A versioned format for future-proof compatibility.
- Pluggable traits for KDF, cipher, and codec.
- Single-string, URL-safe output.
Default implementation
The default stack is:
Argon2idfor key derivationAES-256-GCMfor authenticated encryptionBase64Urlfor URL-safe encoding
Convenience alias:
sealable::prelude::DefaultSealedBox
Features
- 🔐 Default secure stack:
Argon2id+AES-256-GCM+Base64Url - 🧩 Pluggable backends via
KeyDerivation,Cipher, andCodec - 📦 Self-contained sealed strings with version, salt, nonce, and ciphertext
- 🔄 Algorithm agility through versioned payloads
- 🛡️ Zeroized secret material via
zeroize - 🔗 URL-safe output without padding
- 📜 Minimal API:
encrypt(passphrase, plaintext)anddecrypt(passphrase, sealed_string)
Installation
Add to Cargo.toml:
[]
= "0.1"
Basic usage
use *;
Customization
Create a custom SealedBox from types that implement the required traits:
use ;
use ;
use Base64Url;
type MySealedBox = ;
let sealed = encrypt?;
let decrypted = decrypt?;
Replace any of the following components:
KeyDerivation— passphrase → keyCipher— authenticated encryptionCodec— string encoding and decoding
Example: store a secret in config
use *;
let master_key = var?;
let sealed = encrypt?;
// Persist `sealed` to a config file or environment variable.
let sealed_from_config = /* read sealed string from storage */;
let decrypted = decrypt?;
let password = Stringfrom_utf8_lossy;
Limitations
- ⚠️ Not intended for large data: encryption/decryption happens in memory.
- ⚠️ Passphrase strength matters: weak passphrases are vulnerable to offline attacks.
- ⚠️ No built-in passphrase rotation: re-seal values manually when you change the passphrase.
- ⚠️ No additional authenticated data (AAD) support in the current API.
- ⚠️ Designed for one passphrase / one secret, not multi-recipient encryption.
- ⚠️ No streaming support.
Error handling
sealable::Error includes:
UnsupportedVersionInvalidFormatCryptoEncoding
Handle errors with standard Rust Result.
License
sealable is licensed under either:
- Apache License, Version 2.0
- MIT License