Skip to main content

KeyCustody

Trait KeyCustody 

Source
pub trait KeyCustody {
    // Required methods
    fn encrypt(
        &self,
        tenant: &str,
        plaintext: &[u8],
    ) -> Result<Vec<u8>, KeyCustodyError>;
    fn decrypt(
        &self,
        tenant: &str,
        blob: &[u8],
    ) -> Result<Vec<u8>, KeyCustodyError>;
}
Expand description

Encrypt/decrypt opaque blobs under a per-tenant envelope.

This is the trust seam ADR 0004 §D5 names. The local tier (LocalKeyCustody) is implemented here; a cloud-KMS tier can implement the same trait later without touching callers. tenant is authenticated (bound as AEAD associated data), so a blob is only decryptable under the same tenant it was encrypted for.

Required Methods§

Source

fn encrypt( &self, tenant: &str, plaintext: &[u8], ) -> Result<Vec<u8>, KeyCustodyError>

Seal plaintext for tenant, returning an opaque nonce ‖ ciphertext ‖ tag blob that is safe to store at rest.

§Errors

KeyCustodyError::Encrypt if the RNG or the AEAD layer fails. The error is opaque and carries no key material.

Source

fn decrypt(&self, tenant: &str, blob: &[u8]) -> Result<Vec<u8>, KeyCustodyError>

Open a blob previously produced by encrypt for the same tenant.

§Errors

KeyCustodyError::Decrypt on any failure — tamper, wrong KEK, wrong tenant, or a truncated blob. The failure mode is indistinguishable on purpose (no oracle): all of them surface as the same opaque error, and never a partial/garbage plaintext.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§