secret_vault/aws/
aws_kms_encryption.rs1use crate::errors::*;
2use crate::*;
3use async_trait::async_trait;
4use kms_aead::KmsAeadEnvelopeEncryption;
5
6use secret_vault_value::SecretValue;
7
8pub type AwsKmsKeyRef = kms_aead::providers::AwsKmsKeyRef;
9
10pub struct AwsKmsEnvelopeEncryption {
11 envelope_aead_encryption:
12 kms_aead::KmsAeadRingEnvelopeEncryption<kms_aead::providers::AwsKmsProvider>,
13}
14
15impl AwsKmsEnvelopeEncryption {
16 pub async fn new(kms_key_ref: &AwsKmsKeyRef) -> SecretVaultResult<Self> {
17 let provider = kms_aead::providers::AwsKmsProvider::new(kms_key_ref)
18 .await
19 .map_err(SecretVaultError::from)?;
20 let envelope_aead_encryption = kms_aead::KmsAeadRingEnvelopeEncryption::with_algorithm(
21 provider,
22 &ring::aead::AES_256_GCM,
23 )
24 .await
25 .map_err(SecretVaultError::from)?;
26
27 Ok(Self {
28 envelope_aead_encryption,
29 })
30 }
31}
32
33#[async_trait]
34impl SecretVaultEncryption for AwsKmsEnvelopeEncryption {
35 async fn encrypt_value(
36 &self,
37 secret_vault_key: &SecretVaultKey,
38 secret_value: &SecretValue,
39 ) -> SecretVaultResult<EncryptedSecretValue> {
40 let encrypted_value = self
41 .envelope_aead_encryption
42 .encrypt_value(secret_vault_key.to_aad(), secret_value)
43 .await?;
44
45 Ok(encrypted_value.into())
46 }
47
48 async fn decrypt_value(
49 &self,
50 secret_vault_key: &SecretVaultKey,
51 encrypted_secret_value: &EncryptedSecretValue,
52 ) -> SecretVaultResult<SecretValue> {
53 let secret_value = self
54 .envelope_aead_encryption
55 .decrypt_value(
56 secret_vault_key.to_aad(),
57 &encrypted_secret_value.clone().into(),
58 )
59 .await?;
60 Ok(secret_value)
61 }
62}