pub fn encrypt(
key: &[u8; 32],
plaintext: &[u8],
aad: &[u8],
) -> Result<Vec<u8>, CryptoError>Expand description
Encrypts plaintext using AES-256-GCM with Additional Authenticated Data (AAD).
The AAD is authenticated but not encrypted - it binds the ciphertext to a specific context (e.g., object type) without being included in the output.
Returns: nonce (12 bytes) || ciphertext || tag (16 bytes)
§Security
Uses a random 12-byte nonce. Total ciphertext overhead is 28 bytes
(12 nonce + 16 tag). Always use the appropriate AAD_* constant
for the object type being encrypted.