Expand description
§kmb-crypto: Cryptographic primitives for Kimberlite
This crate provides the cryptographic foundation for Kimberlite’s
tamper-evident append-only log.
§Modules
| Module | Purpose | Status |
|---|---|---|
chain | Hash chains for tamper evidence (SHA-256) | ✅ Ready |
hash | Dual-hash abstraction (SHA-256/BLAKE3) | ✅ Ready |
signature | Ed25519 signatures for non-repudiation | ✅ Ready |
encryption | AES-256-GCM encryption and key wrapping | ✅ Ready |
§Quick Start
use kimberlite_crypto::{chain_hash, ChainHash, SigningKey, internal_hash, HashPurpose};
use kimberlite_crypto::{EncryptionKey, WrappedKey};
// Build a tamper-evident chain of records (SHA-256 for compliance)
let hash0 = chain_hash(None, b"genesis record");
let hash1 = chain_hash(Some(&hash0), b"second record");
// Fast internal hash (BLAKE3) for deduplication
let fingerprint = internal_hash(b"content to deduplicate");
// Sign records for non-repudiation
let signing_key = SigningKey::generate();
let signature = signing_key.sign(hash1.as_bytes());
// Verify the signature
let verifying_key = signing_key.verifying_key();
assert!(verifying_key.verify(hash1.as_bytes(), &signature).is_ok());
// Wrap a key for secure storage (key hierarchy)
let kek = EncryptionKey::generate();
let dek = EncryptionKey::generate();
let wrapped = WrappedKey::new(&kek, &dek.to_bytes());
let unwrapped = wrapped.unwrap_key(&kek).unwrap();
assert_eq!(dek.to_bytes(), unwrapped);Re-exports§
pub use anonymize::DatePrecision;pub use anonymize::GeoLevel;pub use anonymize::KAnonymityResult;pub use anonymize::MaskStyle;pub use anonymize::check_k_anonymity;pub use anonymize::generalize_age;pub use anonymize::generalize_numeric;pub use anonymize::generalize_zip;pub use anonymize::mask;pub use anonymize::redact;pub use anonymize::truncate_date;pub use chain::ChainHash;pub use chain::HASH_LENGTH;pub use chain::chain_hash;pub use crc32::Crc32;pub use crc32::crc32;pub use encryption::DataEncryptionKey;pub use encryption::EncryptionKey;pub use encryption::InMemoryMasterKey;pub use encryption::KeyEncryptionKey;pub use encryption::MasterKeyProvider;pub use encryption::WrappedKey;pub use error::CryptoError;pub use field::FieldKey;pub use field::ReversibleToken;pub use field::TOKEN_LENGTH;pub use field::Token;pub use field::decrypt_field;pub use field::encrypt_field;pub use field::matches_token;pub use field::tokenize;pub use hash::HashAlgorithm;pub use hash::HashPurpose;pub use hash::InternalHash;pub use hash::hash_with_purpose;pub use hash::internal_hash;pub use signature::Signature;pub use signature::SigningKey;pub use signature::VerifyingKey;
Modules§
- anonymize
- Anonymization and data masking primitives for secure data sharing.
- chain
- Hash chain for tamper-evident record linking.
- crc32
- CRC32 (IEEE 802.3) checksum implementation.
- encryption
- AES-256-GCM authenticated encryption for tenant data isolation.
- error
- Error types for cryptographic operations.
- field
- Field-level encryption and anonymization primitives.
- hash
- Dual-hash abstraction for compliance vs performance paths.
- signature
- Ed25519 digital signatures for record non-repudiation.