Module api 

Crate-level KMS encrypt/decrypt API for cross-service callers.

Real AES-256-GCM with a fresh 12-byte IV per call and an authenticated tag. Envelope format:

| key_arn_len:u16_be | key_arn_utf8 | iv:12 | ciphertext_with_tag |

The key ARN is embedded so decryption callers can pass opaque ciphertext back without tracking the key separately — matching how AWS’s KMS blob format self-describes.

Enums

KmsApiError

Functions

decrypt_blob

Decrypt a blob produced by encrypt_blob.

encrypt_blob

Encrypt plaintext under the AES-256 key derived from key_ref (key id or ARN). Returns an envelope that decrypt_blob accepts without needing the key-ref passed again.