trelent-hyok 0.1.12

A Rust library implementing Hold Your Own Key (HYOK) encryption patterns with support for multiple cloud providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

//! Customer Managed Key (CMK) management and operations.
//!
//! This module provides a flexible system for managing Customer Managed Keys,
//! which are used to encrypt and decrypt Data Encryption Keys (DEKs). It supports:
//!
//! - AWS Key Management Service (KMS)
//! - Azure Key Vault
//! - Custom implementations
//!
//! The module ensures consistent encryption operations while allowing integration
//! with different key management services.

use async_trait::async_trait;

use crate::error::cmk::CMKError;

mod aws_cmk;
mod azure_cmk;
mod custom_cmk;

#[cfg(feature = "aws")]
pub use aws_cmk::*;
#[cfg(feature = "azure")]
pub use azure_cmk::*;
pub use custom_cmk::*;

/// A trait that represents a Customer Managed Key (CMK) capable of encrypting
/// and decrypting data.
///
/// This trait provides a consistent interface for key operations across different
/// key management services. Implementations should ensure:
///
/// - Secure key storage
/// - Proper encryption/decryption
/// - Error handling
/// - Access control
///
/// # Security
///
/// Implementations should:
/// - Use strong encryption algorithms
/// - Protect key material
/// - Implement proper access controls
/// - Follow cryptographic best practices
///
/// # Example
/// ```no_run
/// use async_trait::async_trait;
/// use hyokashi::{CMKTrait, CMKError};
///
/// struct MyCMK;
///
/// #[async_trait]
/// impl CMKTrait for MyCMK {
///     async fn encrypt(&self, plaintext: Vec<u8>) -> Result<Vec<u8>, CMKError> {
///         // Implement secure encryption...
///         # Ok(vec![])
///     }
///
///     async fn decrypt(&self, ciphertext: Vec<u8>) -> Result<Vec<u8>, CMKError> {
///         // Implement secure decryption...
///         # Ok(vec![])
///     }
/// }
/// ```
#[async_trait]
pub trait CMKTrait {
    /// Encrypts the given plaintext bytes using the CMK.
    ///
    /// # Arguments
    ///
    /// * `plaintext` - The data to encrypt
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if encryption fails due to:
    /// - Key access issues
    /// - Service unavailability
    /// - Invalid input data
    /// - Algorithm failures
    async fn encrypt(&self, plaintext: Vec<u8>) -> Result<Vec<u8>, CMKError>;

    /// Decrypts the given ciphertext bytes using the CMK.
    ///
    /// # Arguments
    ///
    /// * `ciphertext` - The data to decrypt
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if decryption fails due to:
    /// - Key access issues
    /// - Service unavailability
    /// - Invalid ciphertext
    /// - Algorithm failures
    async fn decrypt(&self, ciphertext: Vec<u8>) -> Result<Vec<u8>, CMKError>;
}

/// Available Customer Managed Key implementations.
///
/// This enum provides a unified interface to different key management services:
///
/// - `AWS`: AWS KMS integration (requires "aws" feature)
/// - `Azure`: Azure Key Vault integration (requires "azure" feature)
/// - `Custom`: User-defined CMK implementation
///
/// # Feature Flags
///
/// Different backends can be enabled via feature flags:
/// - `aws`: Enables AWS KMS support
/// - `azure`: Enables Azure Key Vault support
///
/// # Security
///
/// For production use:
/// - Use cloud provider solutions when possible
/// - Ensure proper key rotation
/// - Implement access controls
/// - Monitor key usage
///
/// # Example
/// ```no_run
/// use hyokashi::CMK;
///
/// // Create an AWS KMS-based CMK
/// #[cfg(feature = "aws")]
/// let cmk = CMK::AWS(AwsCMK::new(
///     client,
///     "alias/my-key".to_string(),
///     encryption_algorithm
/// ));
///
/// // Use the CMK
///     let encrypted = cmk.encrypt(vec![1, 2, 3]).await?;
///     let decrypted = cmk.decrypt(encrypted).await?;
/// ```
pub enum CMK {
    #[cfg(feature = "aws")]
    /// AWS Key Management Service implementation
    AWS(AwsCMK),
    #[cfg(feature = "azure")]
    /// Azure Key Vault implementation
    Azure(AzureCMK),
    /// Custom key management implementation
    Custom(CustomCMK),
}

impl CMK {
    /// Encrypts the provided data with the underlying CMK variant.
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if encryption fails through the underlying CMK.
    pub async fn encrypt(&self, key: Vec<u8>) -> Result<Vec<u8>, CMKError> {
        (match self {
            #[cfg(feature = "aws")]
            CMK::AWS(cmk) => cmk.encrypt(key),
            #[cfg(feature = "azure")]
            CMK::Azure(cmk) => cmk.encrypt(key),
            CMK::Custom(cmk) => cmk.encrypt(key),
        }).await
    }

    /// Decrypts the provided data with the underlying CMK variant.
    ///
    /// # Errors
    ///
    /// Returns a `CMKError` if decryption fails through the underlying CMK.
    pub async fn decrypt(&self, key: Vec<u8>) -> Result<Vec<u8>, CMKError> {
        (match self {
            #[cfg(feature = "aws")]
            CMK::AWS(cmk) => cmk.decrypt(key),
            #[cfg(feature = "azure")]
            CMK::Azure(cmk) => cmk.decrypt(key),
            CMK::Custom(cmk) => cmk.decrypt(key),
        }).await
    }
}