Skip to main content

Crate reliakit_secret

Crate reliakit_secret 

Source
Expand description

Secret-safe wrappers for values that should not leak through formatting or diagnostics.

reliakit-secret provides Secret<T>, a small wrapper that redacts its value in Debug and Display output. Access to the wrapped value is explicit through ExposeSecret.

The crate does not claim memory zeroization, process isolation, or protection against memory inspection. Its purpose is to prevent accidental leaks through logs, error messages, debug output, and diagnostic reports.

§Examples

use reliakit_secret::{ExposeSecret, Secret};

let token = Secret::new("ghp_example_token");

assert_eq!(format!("{token:?}"), "Secret([REDACTED])");
assert_eq!(format!("{token}"), "[REDACTED]");
assert_eq!(token.expose_secret(), &"ghp_example_token");

String-backed secrets are available when alloc is available:

use reliakit_secret::{ExposeSecret, SecretString};

let password = SecretString::from_string("correct horse battery staple");
assert_eq!(password.expose_secret(), "correct horse battery staple");

§Redacting a field inside a larger struct

The common case is a secret that lives in a config or request struct. Because Secret<T> redacts itself, deriving Debug on the parent stays safe — the secret field renders as [REDACTED] while every other field prints normally, so the whole struct can be logged without leaking:

use reliakit_secret::SecretString;

#[derive(Debug)]
struct DbConfig {
    host: String,
    port: u16,
    password: SecretString,
}

let cfg = DbConfig {
    host: "db.internal".into(),
    port: 5432,
    password: SecretString::from_string("hunter2"),
};

let rendered = format!("{cfg:?}");
assert!(rendered.contains("db.internal"));
assert!(rendered.contains("[REDACTED]"));
assert!(!rendered.contains("hunter2")); // the secret never appears

§Comparing secrets

Checking a presented value against a stored secret with == on the exposed bytes can leak information through timing. Use Secret::ct_eq, which compares in time that does not depend on how many leading bytes match:

use reliakit_secret::SecretString;

let stored = SecretString::from_string("s3cr3t-token");
assert!(stored.ct_eq("s3cr3t-token"));
assert!(!stored.ct_eq("s3cr3t-wrong"));

§Feature flags

  • std is enabled by default.
  • alloc enables SecretString without std.

§no_std

The crate supports no_std. Use default-features = false for non-alloc generic secrets, or add features = ["alloc"] for SecretString.

Structs§

Secret
A value that redacts itself in formatting and diagnostics.

Traits§

ExposeSecret
Explicit access to a wrapped secret value.
ExposeSecretMut
Mutable access to a wrapped secret value.

Type Aliases§

SecretString
String-backed secret value.