Struct FieldEncryption 

pub struct FieldEncryption { /* private fields */ }

Cipher for field-level encryption using AES-256-GCM

Encrypts sensitive database fields with authenticated encryption. Each encryption uses a random nonce, preventing identical plaintexts from producing identical ciphertexts.

FieldEncryption does not implement Clone. Shared access should use Arc<FieldEncryption> so the key schedule is held in exactly one heap allocation and zeroed on drop (requires aes-gcm zeroize feature, which is enabled in this crate’s Cargo.toml).

Example

use fraiseql_secrets::FieldEncryption;
// Key must be exactly 32 bytes for AES-256-GCM.
let key = b"12345678901234567890123456789012"; // 32 bytes
let cipher = FieldEncryption::new(key).unwrap();
let encrypted = cipher.encrypt("user@example.com").unwrap();
let decrypted = cipher.decrypt(&encrypted).unwrap();
assert_eq!(decrypted, "user@example.com");

Implementations

impl FieldEncryption

pub fn new(key: &[u8]) -> Result<Self, SecretsError>

Create new field encryption cipher.

Arguments

• key - Encryption key bytes (must be exactly 32 bytes for AES-256)

Errors

Returns SecretsError::ValidationError if key is not exactly 32 bytes.

pub fn encrypt(&self, plaintext: &str) -> Result<Vec<u8>, SecretsError>

Encrypt plaintext field using AES-256-GCM

Generates random 96-bit nonce, encrypts with authenticated encryption, and returns [nonce || ciphertext] format for decryption.

Arguments

• plaintext - Data to encrypt

Returns

Encrypted data in format: [12-byte nonce][ciphertext + 16-byte tag]

Errors

Returns EncryptionError if encryption fails

pub fn decrypt(&self, encrypted: &[u8]) -> Result<String, SecretsError>

Decrypt encrypted field using AES-256-GCM

Expects data in format: [12-byte nonce][ciphertext + 16-byte tag] Extracts nonce, decrypts, and verifies authentication tag.

Arguments

• encrypted - Encrypted data from encrypt()

Returns

Decrypted plaintext as String

Errors

Returns EncryptionError if:

• Data too short for nonce
• Decryption fails (wrong key or corrupted data)
• Plaintext is not valid UTF-8

pub fn encrypt_with_context( &self, plaintext: &str, context: &str, ) -> Result<Vec<u8>, SecretsError>

Encrypt field with additional context for audit/security

Includes context (e.g., user_id, field_name) in authenticated data but not in ciphertext, providing audit trail without bloating storage.

Arguments

• plaintext - Data to encrypt
• context - Additional authenticated data (e.g., “user:123:email”)

Errors

Returns SecretsError::EncryptionError if AES-GCM encryption fails.

pub fn decrypt_with_context( &self, encrypted: &[u8], context: &str, ) -> Result<String, SecretsError>

Decrypt field with additional context verification

Context must match the value used during encryption for verification to succeed.

Arguments

• encrypted - Encrypted data from encrypt_with_context()
• context - Context that was used during encryption

Returns

Decrypted plaintext as String

Errors

Returns EncryptionError if context doesn’t match or decryption fails

Trait Implementations

impl Debug for FieldEncryption

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.