Expand description
KMS/AEAD envelope encryption for GCP/AWS KMS and Ring AEAD encryption
Available providers:
- Google Cloud Platform KMS
- Amazon Web Services KMS
Features:
- Able to encode using default/current session key (DEK) or receiving it as a parameter
- Manual rotation of default/current session key (DEK) or automatic key generation for each of the request
Examples:
For AWS:
use kms_aead::providers::AwsKmsProvider;
use kms_aead::*;
use secret_vault_value::SecretValue;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
let aws_account_id = config_env_var("ACCOUNT_ID")?;
let aws_key_id: String = config_env_var("KMS_KEY_ID")?;
let kms_ref = kms_aead::providers::AwsKmsKeyRef::new(aws_account_id, aws_key_id);
let encryption: KmsAeadRingEncryption<AwsKmsProvider> =
kms_aead::KmsAeadRingEncryption::new(providers::AwsKmsProvider::new(&kms_ref).await?)
.await?;
let secret_value = SecretValue::from("test-secret");
let test_aad = "test-aad".to_string();
let (encrypted_value, session_key) = encryption.encrypt_value(&test_aad, &secret_value).await?;
let secret_value = encryption
.decrypt_value_with_session_key(&test_aad, &encrypted_value, &session_key)
.await?;
println!(
"We have our secret back: {}",
secret_value.sensitive_value_to_str().unwrap() == "test-secret"
);
Ok(())
}
pub fn config_env_var(name: &str) -> Result<String, String> {
std::env::var(name).map_err(|e| format!("{}: {}", name, e))
}
More examples are available at github
Re-exports
pub use ring_envelope_encryption::*;