Struct DataEncryptionKey 

pub struct DataEncryptionKey(/* private fields */);

Data Encryption Key (DEK) for encrypting actual record data.

Each segment (chunk of the log) has its own DEK. The DEK is wrapped by the tenant’s KEK and stored in the segment header.

Key Hierarchy Position

MasterKeyProvider
    │
    └── wraps ──► KeyEncryptionKey
                      │
                      └── wraps ──► DataEncryptionKey (this type)
                                        │
                                        └── encrypts ──► Record data

Example

use kimberlite_crypto::encryption::{
    InMemoryMasterKey, KeyEncryptionKey, DataEncryptionKey,
    Nonce, encrypt, decrypt,
};

let master = InMemoryMasterKey::generate();
let (kek, _) = KeyEncryptionKey::generate_and_wrap(&master);

// Create DEK for a new segment
let (dek, wrapped_dek) = DataEncryptionKey::generate_and_wrap(&kek);

// Encrypt data
let nonce = Nonce::from_position(0);
let ciphertext = encrypt(dek.encryption_key(), &nonce, b"secret data");

// Decrypt data
let plaintext = decrypt(dek.encryption_key(), &nonce, &ciphertext).unwrap();
assert_eq!(plaintext, b"secret data");

Implementations

impl DataEncryptionKey

pub fn restore( kek: &KeyEncryptionKey, wrapped: &WrappedKey, ) -> Result<Self, CryptoError>

Restores a DEK from its wrapped form (pure, no IO).

Use this when loading a segment’s DEK from its header.

Arguments

• kek - The KEK that originally wrapped this DEK
• wrapped - The wrapped DEK from the segment header

Errors

Returns CryptoError::DecryptionError if:

• The wrapped key is corrupted
• The wrong KEK is used

pub fn encryption_key(&self) -> &EncryptionKey

Returns a reference to the underlying encryption key.

Use this with encrypt and decrypt to encrypt/decrypt record data.

Example

let nonce = Nonce::from_position(42);
let ciphertext = encrypt(dek.encryption_key(), &nonce, b"data");

pub fn generate_and_wrap(kek: &KeyEncryptionKey) -> (Self, WrappedKey)

Generates a new DEK and wraps it with the KEK.

Returns both the usable DEK and its wrapped form for storage. The wrapped form should be stored in the segment header.

This is the imperative shell - it handles IO (randomness) and delegates to a pure internal constructor for the actual construction.

Arguments

• kek - The Key Encryption Key to wrap this DEK

Returns

A tuple of (usable_dek, wrapped_dek_for_storage).

Panics

Panics if the OS CSPRNG fails (catastrophic system error).

Trait Implementations

impl Drop for DataEncryptionKey

fn drop(&mut self)

Executes the destructor for this type.

impl Zeroize for DataEncryptionKey

fn zeroize(&mut self)

Zero out this object from memory using Rust intrinsics which ensure the zeroization operation is not “optimized away” by the compiler.