kms_aead/
api.rs

1use crate::*;
2use async_trait::*;
3use secret_vault_value::SecretValue;
4
5/// A trait that defines the encryption and decryption of a value using a data encryption key
6/// and additional authenticated data (AEAD).
7#[async_trait]
8pub trait AeadEncryption<Aad> {
9    async fn encrypt_value(
10        &self,
11        aad: &Aad,
12        plain_text: &SecretValue,
13        encryption_key: &DataEncryptionKey,
14    ) -> KmsAeadResult<CipherText>;
15
16    async fn decrypt_value(
17        &self,
18        aad: &Aad,
19        cipher_text: &CipherText,
20        encryption_key: &DataEncryptionKey,
21    ) -> KmsAeadResult<SecretValue>;
22}
23
24/// A trait that defines the envelope encryption and decryption of a value using
25/// a data encryption key (DEK), a key encryption key (KEK) from KMS providers,
26/// and additional authenticated data (AEAD).
27#[async_trait]
28pub trait KmsAeadEnvelopeEncryption<Aad> {
29    /// Encrypts the plain text using a new data encryption key.
30    async fn encrypt_value(
31        &self,
32        aad: &Aad,
33        plain_text: &SecretValue,
34    ) -> KmsAeadResult<CipherTextWithEncryptedKey>;
35
36    /// Decrypts the cipher text using the cipher text with corresponding encrypted data encryption key.
37    async fn decrypt_value(
38        &self,
39        aad: &Aad,
40        cipher_text: &CipherTextWithEncryptedKey,
41    ) -> KmsAeadResult<SecretValue>;
42
43    /// Encrypts the plain text using the provided data encryption key.
44    async fn encrypt_value_with_dek(
45        &self,
46        aad: &Aad,
47        plain_text: &SecretValue,
48        dek: &DataEncryptionKey,
49    ) -> KmsAeadResult<CipherText>;
50
51    /// Encrypts the plain text using the provided encrypted data encryption key.
52    async fn encrypt_value_with_encrypted_dek(
53        &self,
54        aad: &Aad,
55        plain_text: &SecretValue,
56        dek: &EncryptedDataEncryptionKey,
57    ) -> KmsAeadResult<CipherText>;
58
59    /// Decrypts the cipher text using the provided encrypted data encryption key.
60    async fn decrypt_value_with_dek(
61        &self,
62        aad: &Aad,
63        cipher_text: &CipherText,
64        data_encryption_key: &DataEncryptionKey,
65    ) -> KmsAeadResult<SecretValue>;
66
67    /// Decrypts the cipher text using the provided encrypted data encryption key.
68    async fn decrypt_value_with_encrypted_dek(
69        &self,
70        aad: &Aad,
71        cipher_text: &CipherText,
72        encrypted_data_encryption_key: &EncryptedDataEncryptionKey,
73    ) -> KmsAeadResult<SecretValue>;
74
75    /// Generates a new data encryption key and encrypts it using the KMS provider.
76    async fn generate_new_dek(
77        &self,
78    ) -> KmsAeadResult<(DataEncryptionKey, EncryptedDataEncryptionKey)>;
79}