[]Module themis::secure_cell

Secure Cell for data storage.

Secure Сell is a high-level cryptographic service aimed at protecting arbitrary data stored in various types of storage (e.g., databases, filesystem files, document archives, cloud storage, etc.) It provides both strong symmetric encryption and data authentication mechanism.

The general approach is that given:

  • input: some source data to protect
  • master key: a password
  • context: and an optional “context information”

Secure Cell will produce:

  • cell: the encrypted data
  • authentication tag: some authentication data

The purpose of the optional “context information” (e.g., a database row number or file name) is to establish a secure association between this context and the protected data. In short, even when the password is known, if the context is incorrect then decryption will fail.

The purpose of the authentication data is to validate that given a correct password (and context), the decrypted data is indeed the same as the original source data.

The authentication data must be stored somewhere. The most convenient way is to simply append it to the encrypted data, but this is not always possible due to the storage architecture of your application. Secure Cell offers variants that address this issue in different ways.

By default, Secure Cell uses AES-256 for encryption. Authentication data is 16 bytes long.

Secure Cell supports 3 operation modes:

  • Sealing mode: the mode that is the most secure and easy to use. Your best choice most of the time.

  • Token protect mode: the mode just as secure, but a bit harder to use. This is your choice if you need to keep authentication data separately.

  • Context imprint mode: length-preserving version of Secure Cell with no additional data stored. Should be used carefully.

The operation mode is selected via an appropriate method of a basic SecureCell object. Here you can learn more about the underlying considerations, limitations, and features of each mode.


Here is how you use Secure Cell to seal away your data:

use themis::secure_cell::SecureCell;

let cell = SecureCell::with_key(b"seekryt")?.seal();

let encrypted = cell.encrypt(b"source data")?;
let decrypted = cell.decrypt(&encrypted)?;
assert_eq!(decrypted, b"source data");

You can find more examples for each operation mode in their respective documentation.



Basic Secure Cell.


Secure Cell in context imprint operation mode.


Secure Cell in sealing operation mode.


Secure Cell in token protect operation mode.