pub trait KeyStoreProvider: Send + Sync {
// Required methods
fn provider_name(&self) -> &str;
fn decrypt_cek<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
cmk_path: &'life1 str,
algorithm: &'life2 str,
encrypted_cek: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait;
// Provided methods
fn sign_data<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait { ... }
fn verify_signature<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
_signature: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<bool, EncryptionError>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait { ... }
}Expand description
Trait for Column Master Key (CMK) providers.
Implementations of this trait provide access to CMKs stored in various key stores (Azure Key Vault, Windows Certificate Store, HSMs, etc.).
§Security
Implementations must ensure:
- Keys are never logged or exposed in error messages
- Keys are zeroized from memory when no longer needed
- Access is authenticated and authorized appropriately
§Example
use mssql_auth::encryption::{KeyStoreProvider, EncryptionError};
struct AzureKeyVaultProvider {
vault_url: String,
credential: azure_identity::DefaultAzureCredential,
}
#[async_trait::async_trait]
impl KeyStoreProvider for AzureKeyVaultProvider {
fn provider_name(&self) -> &str {
"AZURE_KEY_VAULT"
}
async fn decrypt_cek(
&self,
cmk_path: &str,
algorithm: &str,
encrypted_cek: &[u8],
) -> Result<Vec<u8>, EncryptionError> {
// Use Azure Key Vault to unwrap the CEK
// ...
}
}Required Methods§
Sourcefn provider_name(&self) -> &str
fn provider_name(&self) -> &str
Returns the provider name as used in SQL Server metadata.
Common values:
"AZURE_KEY_VAULT"- Azure Key Vault"MSSQL_CERTIFICATE_STORE"- Windows Certificate Store"MSSQL_CNG_STORE"- Windows CNG Store"MSSQL_CSP_PROVIDER"- Windows CSP Provider
Sourcefn decrypt_cek<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
cmk_path: &'life1 str,
algorithm: &'life2 str,
encrypted_cek: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
fn decrypt_cek<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
cmk_path: &'life1 str,
algorithm: &'life2 str,
encrypted_cek: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
Decrypt a Column Encryption Key (CEK) using the Column Master Key (CMK).
§Arguments
cmk_path- Path to the CMK in the key storealgorithm- The asymmetric algorithm (e.g., “RSA_OAEP”)encrypted_cek- The encrypted CEK bytes
§Returns
The decrypted CEK bytes, which can then be used for data encryption/decryption.
§Errors
Returns an error if the key cannot be found or decryption fails.
Provided Methods§
Sourcefn sign_data<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
fn sign_data<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
Sign data using the Column Master Key (optional).
This is used for key attestation in Secure Enclaves. Default implementation returns an error indicating it’s not supported.
Sourcefn verify_signature<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
_signature: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<bool, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
fn verify_signature<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
_cmk_path: &'life1 str,
_data: &'life2 [u8],
_signature: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<bool, EncryptionError>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
Verify a signature (optional).
This is used for key attestation in Secure Enclaves. Default implementation returns an error indicating it’s not supported.