Crate kms_aead

source ·
Expand description

§KMS/AEAD envelope encryption for GCP/AWS KMS and Ring AEAD encryption

Available providers:

  • Google Cloud Platform KMS
  • Amazon Web Services KMS


  • Envelope encryption using automatically generated or provided data encryption keys;
  • Provides a public and simple implementation for Ring based AEAD encryption without using KMS;
  • Opt-in for KMS based secure random generator for GCP and AWS instead of Ring;


For AWS:

use kms_aead::providers::AwsKmsProvider;
use kms_aead::*;
use secret_vault_value::SecretValue;

async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
    let aws_account_id = config_env_var("ACCOUNT_ID")?;
    let aws_key_id: String = config_env_var("KMS_KEY_ID")?;

    let kms_ref = kms_aead::providers::AwsKmsKeyRef::new(aws_account_id, aws_key_id);

    let encryption: KmsAeadRingEnvelopeEncryption<AwsKmsProvider> =

    let secret_value = SecretValue::from("test-secret");
    let test_aad = "test-aad".to_string();

    let cipher_text = encryption.encrypt_value(&test_aad, &secret_value).await?;

    let secret_value = encryption
        .decrypt_value(&test_aad, &cipher_text)

        "We have our secret back: {}",
        secret_value.sensitive_value_to_str().unwrap() == "test-secret"


pub fn config_env_var(name: &str) -> Result<String, String> {
    std::env::var(name).map_err(|e| format!("{}: {}", name, e))

More examples are available at github





  • A trait that defines the encryption and decryption of a value using a data encryption key and additional authenticated data (AEAD).
  • A trait that defines the envelope encryption and decryption of a value using a data encryption key (DEK), a key encryption key (KEK) from KMS providers, and additional authenticated data (AEAD).

Type Aliases§