KeyManager

nervemq::kms

Trait KeyManager 

Source 
pub trait KeyManager:
    Send
    + Sync
    + 'static {
    // Required methods
    fn encrypt(
        &self,
        key_id: &String,
        data: Vec<u8>,
    ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>>>>;
    fn decrypt(
        &self,
        key_id: &String,
        data: Vec<u8>,
    ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>>>>;
    fn create_key(&self) -> Pin<Box<dyn Future<Output = Result<String>>>>;
    fn delete_key(
        &self,
        key_id: &String,
    ) -> Pin<Box<dyn Future<Output = Result<()>>>>;

    // Provided methods
    fn begin_rotation<'a>(
        &'a self,
        key_id: &String,
    ) -> Pin<Box<dyn Future<Output = Result<Rotation>> + 'a>> { ... }
    fn complete_rotation<'a>(
        &'a self,
        handle: Rotation,
    ) -> Pin<Box<dyn Future<Output = Result<()>> + 'a>> { ... }
}
Expand description

Core trait for key management operations.

This trait defines the interface for a key management service, providing methods for:

  • Encrypting and decrypting data
  • Creating and deleting encryption keys
  • Rotating keys safely

Implementations of this trait should handle the underlying cryptographic operations and key management details for specific KMS providers.

Required Methods§

Source

fn encrypt( &self, key_id: &String, data: Vec<u8>, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>>>>

Encrypts the provided data using a key managed by this service.

§Arguments
  • data - The data to encrypt, provided as any type implementing bytes::Buf
§Returns

An [Encrypted] instance containing the encrypted data and the ID of the key used

Source

fn decrypt( &self, key_id: &String, data: Vec<u8>, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>>>>

Decrypts the provided data using the specified key.

§Arguments
  • key_id - The ID of the key to use for decryption
  • data - The encrypted data to decrypt
§Returns

The decrypted data as [Bytes]

Source

fn create_key(&self) -> Pin<Box<dyn Future<Output = Result<String>>>>

Creates a new encryption key.

§Returns

The ID of the newly created key

Source

fn delete_key( &self, key_id: &String, ) -> Pin<Box<dyn Future<Output = Result<()>>>>

Deletes an existing encryption key.

§Warning

Deleting a key will make it impossible to decrypt any data that was encrypted with it.

Provided Methods§

Source

fn begin_rotation<'a>( &'a self, key_id: &String, ) -> Pin<Box<dyn Future<Output = Result<Rotation>> + 'a>>

Begin a key rotation operation.

This will generate a new key and return a handle to the rotation operation. The handle should be stored securely and used to complete the rotation operation. The new key will not be used until the rotation is completed.

During the rotation operation, you should decrypt data using the old key and re-encrypt it using the new key. Then, call KeyManager::complete_rotation with the handle to complete the rotation and activate the new key.

§Important

It is recommended to perform the rotation operations in a database transaction to avoid attempting to decrypt data requiring the new key before it is activated.

Source

fn complete_rotation<'a>( &'a self, handle: Rotation, ) -> Pin<Box<dyn Future<Output = Result<()>> + 'a>>

Complete a key rotation operation.

This method finalizes a key rotation operation that was started with KeyManager::begin_rotation. It validates the rotation handle and secret, then activates the new key for use.

§Important

Before calling this method, ensure that:

  1. All necessary data has been re-encrypted with the new key
  2. The rotation handle and secret have been kept secure
  3. You are ready to permanently switch to using the new key

After successful completion:

  • The old key will be deactivated
  • All future encryption operations will use the new key
  • The rotation handle will no longer be valid

Implementors§