pub trait KeyCustody {
// Required methods
fn encrypt(
&self,
tenant: &str,
plaintext: &[u8],
) -> Result<Vec<u8>, KeyCustodyError>;
fn decrypt(
&self,
tenant: &str,
blob: &[u8],
) -> Result<Vec<u8>, KeyCustodyError>;
}Expand description
Encrypt/decrypt opaque blobs under a per-tenant envelope.
This is the trust seam ADR 0004 §D5 names. The local tier (LocalKeyCustody) is
implemented here; a cloud-KMS tier can implement the same trait later without touching
callers. tenant is authenticated (bound as AEAD associated data), so a blob is only
decryptable under the same tenant it was encrypted for.
Required Methods§
Sourcefn encrypt(
&self,
tenant: &str,
plaintext: &[u8],
) -> Result<Vec<u8>, KeyCustodyError>
fn encrypt( &self, tenant: &str, plaintext: &[u8], ) -> Result<Vec<u8>, KeyCustodyError>
Seal plaintext for tenant, returning an opaque nonce ‖ ciphertext ‖ tag blob that
is safe to store at rest.
§Errors
KeyCustodyError::Encrypt if the RNG or the AEAD layer fails. The error is opaque and
carries no key material.
Sourcefn decrypt(&self, tenant: &str, blob: &[u8]) -> Result<Vec<u8>, KeyCustodyError>
fn decrypt(&self, tenant: &str, blob: &[u8]) -> Result<Vec<u8>, KeyCustodyError>
Open a blob previously produced by encrypt for the same
tenant.
§Errors
KeyCustodyError::Decrypt on any failure — tamper, wrong KEK, wrong tenant, or a
truncated blob. The failure mode is indistinguishable on purpose (no oracle): all of
them surface as the same opaque error, and never a partial/garbage plaintext.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".