EncryptedBackend

entidb_storage

Struct EncryptedBackend 

Source 
pub struct EncryptedBackend { /* private fields */ }
Expand description

An encrypted storage backend that wraps another backend.

All data written through this backend is encrypted using AES-256-GCM. Data is encrypted in fixed-size blocks for efficient random access.

§Security Guarantees

  • Confidentiality: Data is encrypted with AES-256-GCM
  • Integrity: Each block has a 128-bit authentication tag
  • Determinism: Same data + key produces identical ciphertext (AC-01)
  • Key security: Keys are zeroized on drop

§Example

use entidb_storage::{InMemoryBackend, EncryptedBackend, EncryptionKey};

let key = EncryptionKey::from_bytes(&[0x42u8; 32])?;
let inner = InMemoryBackend::new();
let mut encrypted = EncryptedBackend::new(Box::new(inner), key)?;

let offset = encrypted.append(b"secret data")?;
let data = encrypted.read_at(offset, 11)?;
assert_eq!(&data, b"secret data");

Implementations§

Source§

impl EncryptedBackend

Source

pub fn new( inner: Box<dyn StorageBackend>, key: EncryptionKey, ) -> StorageResult<Self>

Creates a new encrypted backend wrapping the given inner backend.

If the inner backend is empty, initializes a new encrypted storage. If it contains data, reads and validates the header.

§Errors

Returns an error if:

  • The inner backend contains invalid encrypted data
  • The encryption key is wrong (authentication will fail on first read)
  • The format version is unsupported
Source

pub fn with_block_size( inner: Box<dyn StorageBackend>, key: &EncryptionKey, block_size: usize, ) -> StorageResult<Self>

Creates a new encrypted backend with a custom block size.

§Arguments
  • inner - The underlying storage backend
  • key - The encryption key
  • block_size - Plaintext block size (must be 1KB to 1MB)
§Errors

Returns an error if the block size is invalid or the storage is corrupted.

Trait Implementations§

Source§

impl StorageBackend for EncryptedBackend

Source§

fn read_at(&self, offset: u64, len: usize) -> StorageResult<Vec<u8>>

Reads len bytes starting at offset. Read more
Source§

fn append(&mut self, data: &[u8]) -> StorageResult<u64>

Appends data to the end of the storage. Read more
Source§

fn flush(&mut self) -> StorageResult<()>

Flushes all pending writes to durable storage. Read more
Source§

fn size(&self) -> StorageResult<u64>

Returns the current size of the storage in bytes. Read more
Source§

fn sync(&mut self) -> StorageResult<()>

Syncs all data and metadata to durable storage. Read more
Source§

fn truncate(&mut self, new_size: u64) -> StorageResult<()>

Truncates the storage to the given size. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.