Struct KeyEncryptionKey 

pub struct KeyEncryptionKey(/* private fields */);

Key Encryption Key (KEK) for wrapping Data Encryption Keys.

Each tenant has one KEK. The KEK is wrapped by the master key and stored alongside tenant metadata. Deleting a tenant’s wrapped KEK renders all their data cryptographically inaccessible (GDPR “right to erasure”).

Key Hierarchy Position

MasterKeyProvider
    │
    └── wraps ──► KeyEncryptionKey (this type)
                      │
                      └── wraps ──► DataEncryptionKey

Example

use kimberlite_crypto::encryption::{
    InMemoryMasterKey, MasterKeyProvider, KeyEncryptionKey, DataEncryptionKey,
};

let master = InMemoryMasterKey::generate();

// Create KEK for a new tenant
let (kek, wrapped_kek) = KeyEncryptionKey::generate_and_wrap(&master);

// Store wrapped_kek.to_bytes() in tenant metadata...

// Later: restore KEK when tenant accesses data
let kek = KeyEncryptionKey::restore(&master, &wrapped_kek).unwrap();

Implementations

impl KeyEncryptionKey

pub fn restore( master: &impl MasterKeyProvider, wrapped: &WrappedKey, ) -> Result<Self, CryptoError>

Restores a KEK from its wrapped form (pure, no IO).

Use this when loading a tenant’s KEK from storage.

Arguments

• master - The master key provider that originally wrapped this KEK
• wrapped - The wrapped KEK from storage

Errors

Returns CryptoError::DecryptionError if:

• The wrapped key is corrupted
• The wrong master key is used

pub fn wrap_dek(&self, dek_bytes: &[u8; 32]) -> WrappedKey

Wraps a Data Encryption Key for secure storage.

The wrapped DEK should be stored in the segment header.

pub fn unwrap_dek(&self, wrapped: &WrappedKey) -> Result<[u8; 32], CryptoError>

Unwraps a Data Encryption Key from storage.

Errors

Returns CryptoError::DecryptionError if:

• The wrapped key is corrupted
• The wrong KEK is used

pub fn generate_and_wrap(master: &impl MasterKeyProvider) -> (Self, WrappedKey)

Generates a new KEK and wraps it with the master key.

Returns both the usable KEK and its wrapped form for storage. The wrapped form should be persisted alongside tenant metadata.

This is the imperative shell - it handles IO (randomness) and delegates to a pure internal constructor for the actual construction.

Arguments

• master - The master key provider to wrap the KEK

Returns

A tuple of (usable_kek, wrapped_kek_for_storage).

Panics

Panics if the OS CSPRNG fails (catastrophic system error).

Trait Implementations

impl Drop for KeyEncryptionKey

fn drop(&mut self)

Executes the destructor for this type.

impl Zeroize for KeyEncryptionKey

fn zeroize(&mut self)

Zero out this object from memory using Rust intrinsics which ensure the zeroization operation is not “optimized away” by the compiler.