Crate envelopers

Source
Expand description

envelope is a very simple, envelope encryption library that can use external key providers such as AWS KMS to encrypt data safely. It uses the concept of data-keys to encrypt messages but these data keys are themselves encrypted by a Key-Encryption-Key (or KEK, sometimes also called Customer Master Key) with the resulting ciphertext stored with the encrypted data (the “wrapped” data-key).

§Usage

NOTE: This is Alpha software and should not be used in production

§Encrypt a message with a local Key Provider

The SimpleKeyProvider allows envelope encryption to be used with a local key.

use envelopers::{
    Aes128Gcm, // or Aes256Gcm, Aes128GcmSiv, Aes256GcmSiv
    EnvelopeCipher,
    SimpleKeyProvider,
};

use hex_literal::hex;
let kek: [u8; 16] = hex!("00010203 04050607 08090a0b 0c0d0e0f");
let key_provider: SimpleKeyProvider<Aes128Gcm> = SimpleKeyProvider::init(kek);

let cipher: EnvelopeCipher<_> = EnvelopeCipher::init(key_provider);
let er = cipher.encrypt(b"hey there monkey boy").await.unwrap();

§Encoding a CipherText

let bytes = er.to_vec().unwrap();
hex::encode(&bytes);

§Decrypting a CipherText

use envelopers::{Aes128Gcm, EnvelopeCipher, SimpleKeyProvider, EncryptedRecord};

let dec = EncryptedRecord::from_vec(bytes).unwrap();
let pt = cipher.decrypt(&dec).await.unwrap();

assert!(std::str::from_utf8(&pt).unwrap() == "hey there monkey boy");

Re-exports§

pub use crate::errors::DecryptionError;
pub use crate::errors::ERFromBytesError;
pub use crate::errors::ERToBytesError;
pub use crate::errors::EncryptionError;
pub use crate::errors::KeyDecryptionError;
pub use crate::errors::KeyGenerationError;

Modules§

errors
safe_rng

Structs§

CacheOptions
The options for configuring a CachingKeyWrapper’s cache
CachingKeyWrapper
A wrapper for a KeyProvider that supports caching.
DataKey
Decrypt
Encrypt
EncryptedRecord
EnvelopeCipher
KMSKeyProvider
SimpleKeyProvider

Traits§

KeyProvider
KeySizeUser
Types which use key for initialization.

Type Aliases§

Aes128Gcm
AES-GCM with a 128-bit key and 96-bit nonce.
Aes128GcmSiv
AES-GCM-SIV with a 128-bit key.
Aes256Gcm
AES-GCM with a 256-bit key and 96-bit nonce.
Aes256GcmSiv
AES-GCM-SIV with a 256-bit key.
Key
Key used by KeySizeUser implementors.