Expand description
§enc_file — password-based authenticated encryption for files.
enc_file is a Rust library for encrypting, decrypting, and hashing files or byte arrays.
It supports modern AEAD ciphers (XChaCha20-Poly1305, AES-256-GCM-SIV) with Argon2id key derivation.
§Features
- File and byte array encryption/decryption
- Streaming encryption for large files (constant memory usage)
- Multiple AEAD algorithms: XChaCha20-Poly1305, AES-256-GCM-SIV
- Password-based key derivation using Argon2id
- Key map management for named symmetric keys
- Flexible hashing API with support for BLAKE3, SHA2, SHA3, Blake2b, XXH3, and CRC32
- ASCII armor for encrypted data (Base64 encoding)
§Example: Encrypt and decrypt a byte array
use enc_file::{encrypt_bytes, decrypt_bytes, EncryptOptions, AeadAlg};
use secrecy::SecretString;
let password = SecretString::new("mypassword".into());
let opts = EncryptOptions {
alg: AeadAlg::XChaCha20Poly1305,
..Default::default()
};
let ciphertext = encrypt_bytes(b"Hello, world!", password.clone(), &opts).unwrap();
let plaintext = decrypt_bytes(&ciphertext, password).unwrap();
assert_eq!(plaintext, b"Hello, world!");§Example: Hash a file
use enc_file::{hash_file, HashAlg};
use std::path::Path;
let digest = hash_file(Path::new("myfile.txt"), HashAlg::Blake3).unwrap();
println!("Hash: {}", enc_file::to_hex_lower(&digest));See function-level documentation for more details.
Safety notes
- The crate is not audited or reviewed! Protects data at rest. Does not defend against compromised hosts/side channels.
Structs§
- Decrypt
Options - Decrypt options for file operations.
- Encrypt
Options - Options for encryption.
- KdfParams
- Tunable KDF parameters (mem_kib in KiB).
Enums§
- AeadAlg
- Supported AEAD algorithms.
- EncFile
Error - Library error type (no panics for expected failures).
- HashAlg
- Supported hash algorithms for general purpose hashing.
- KdfAlg
- Supported password KDFs.
Constants§
- DEFAULT_
CHUNK_ SIZE - Default chunk size for streaming (1 MiB).
Functions§
- decrypt_
bytes - Decrypt a byte slice that was produced by
encrypt_bytes. - decrypt_
file - Decrypt a file on disk that was produced by
encrypt_fileorencrypt_file_streaming. - default_
decrypt_ output_ path - Determine the default output path for decryption operations.
- encrypt_
bytes - Encrypt a byte slice using an AEAD cipher with a password-derived key.
- encrypt_
file - Encrypt a file on disk using the specified options.
- encrypt_
file_ streaming - Encrypt a file using streaming/chunked framing for constant memory usage.
- hash_
bytes - Hash a byte slice and return the raw digest bytes.
- hash_
bytes_ keyed_ blake3 - Keyed BLAKE3 hash for authentication (MAC-style).
- hash_
file - Hash a file (streaming) and return the raw digest bytes.
- hash_
file_ keyed_ blake3 - Keyed BLAKE3 file hash (streaming).
- load_
keymap - Load an encrypted key map from disk using a password.
- looks_
armored - Check if data appears to be ASCII-armored.
- persist_
tempfile_ atomic - save_
keymap - Save a key map to disk encrypted with a password.
- to_
hex_ lower - Helper to hex-encode bytes in lowercase for display or logging.
- validate_
chunk_ size_ for_ streaming - Validate streaming chunk size against the 32-bit frame length format.
Type Aliases§
- KeyMap
- Type alias for encrypted key maps.