Expand description
secure_data — Data protection, secrets management & FIPS readiness (OWASP C8).
This crate provides:
- Typed secret wrappers that suppress
Debug,Display, and defaultSerializeoutput. - Pluggable key-provider abstraction with a
StaticDevKeyProviderfor tests. - Envelope encryption/decryption via AES-256-GCM (FIPS-ready
aws-lc-rsbehindfipsfeature). - Key ring lifecycle management with rotation and dual-read support.
- Secret reference parsing (
vault://,kms://,env://). - Zeroization and
ReadOncememory helpers.
Modules§
- algorithm
- Crypto algorithm selection and policy —
CryptoAlgorithm,AlgorithmPolicy. - config
- Secret reference parsing —
vault://,kms://,env://. - envelope
- Envelope encryption and decryption —
encrypt_for_storage,decrypt_for_use. - error
- Error types for
secure_dataoperations. - keyring
- Key ring — logical key registry with aliases, versions, and lifecycle management.
- kms
- Key provider abstraction and
StaticDevKeyProvider. - memory
- Zeroization and
ReadOncememory safety helpers. - pq
- Post-quantum primitives — size constants and combiner identifiers (M1).
The hybrid X25519 + ML-KEM-768 KEM implementation lands behind the
pqfeature flag in M2; M1 reserves the public surface so downstream consumers can pin against an envelope shape that will not break when M2 ships. Seedocs/slo/design/pq-migration-plan.md. - providers
- Real key provider implementations (Vault, AWS KMS) behind feature flags. Real key provider implementations behind feature flags.
- resolve
- Secret reference resolution —
resolve_secret(). Secret reference resolution —resolve_secret(). - rotation
- Key rotation and re-encryption helpers.
- secret
- Typed secret wrappers:
SecretString,SecretBytes,ApiToken,DbPassword,SigningKeyRef. - serde
- Safe serialization helpers for secret-bearing structs.