Expand description
§KMS/AEAD envelope encryption for GCP/AWS KMS and Ring AEAD encryption
Available providers:
- Google Cloud Platform KMS
- Amazon Web Services KMS
Features:
- Envelope encryption using automatically generated or provided data encryption keys;
- Provides a public and simple implementation for Ring based AEAD encryption without using KMS;
- Opt-in for KMS based secure random generator for GCP and AWS instead of Ring;
§Examples:
For AWS:
use kms_aead::providers::AwsKmsProvider;
use kms_aead::*;
use secret_vault_value::SecretValue;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
let aws_account_id = config_env_var("ACCOUNT_ID")?;
let aws_key_id: String = config_env_var("KMS_KEY_ID")?;
let kms_ref = kms_aead::providers::AwsKmsKeyRef::new(aws_account_id, aws_key_id);
let encryption: KmsAeadRingEnvelopeEncryption<AwsKmsProvider> =
kms_aead::KmsAeadRingEnvelopeEncryption::new(providers::AwsKmsProvider::new(&kms_ref).await?)
.await?;
let secret_value = SecretValue::from("test-secret");
let test_aad = "test-aad".to_string();
let cipher_text = encryption.encrypt_value(&test_aad, &secret_value).await?;
let secret_value = encryption
.decrypt_value(&test_aad, &cipher_text)
.await?;
println!(
"We have our secret back: {}",
secret_value.sensitive_value_to_str().unwrap() == "test-secret"
);
Ok(())
}
pub fn config_env_var(name: &str) -> Result<String, String> {
std::env::var(name).map_err(|e| format!("{}: {}", name, e))
}
More examples are available at github
Re-exports§
pub use kms_envelope_encryption::*;
Modules§
Structs§
Traits§
- A trait that defines the encryption and decryption of a value using a data encryption key and additional authenticated data (AEAD).
- A trait that defines the envelope encryption and decryption of a value using a data encryption key (DEK), a key encryption key (KEK) from KMS providers, and additional authenticated data (AEAD).