Crate wecanencrypt 

WeCanEncrypt

A simple Rust OpenPGP library for encryption, signing, and key management using rpgp.

This library provides a functional API for common OpenPGP operations, including:

• Key Generation: Create RSA, Curve25519, or NIST curve keys
• Encryption/Decryption: Encrypt to one or multiple recipients
• Signing/Verification: Create and verify signatures
• Certificate Management: Parse, modify, and export certificates
• Key Storage: SQLite-backed keystore (optional feature)

Migrating to 0.6.0

Breaking changes

• GeneratedKey.secret_key is now Zeroizing<Vec<u8>> (was Vec<u8>). Secret key bytes are securely erased from memory on drop. Zeroizing implements Deref<Target = Vec<u8>>, so most code works unchanged. If you need a Vec<u8>, call .to_vec().

• CertificateInfo.user_ids is now Vec<UserIDInfo> (was Vec<String>). Each UID now includes value (the string), revoked (bool), and certifications (third-party signatures). Access the UID string via .value (e.g., info.user_ids[0].value).

• decrypt_with_key() now takes an allow_legacy: bool parameter. Pass false to reject integrity-unprotected SED packets (recommended). Pass true only for historical pre-2007 data.

• decrypt_bytes() no longer decrypts legacy SED packets by default. Use decrypt_bytes_legacy() for messages without integrity protection.

• Verification now rejects revoked keys. Signatures from revoked keys or subkeys return false. Expired keys can still verify old signatures (by design, per OpenPGP semantics).

Quick Start

use wecanencrypt::*;

// Generate a new Curve25519 key (fast)
let key = create_key_simple("password", &["Alice <alice@example.com>"]).unwrap();

// Encrypt a message
let ciphertext = encrypt_bytes(key.public_key.as_bytes(), b"Hello!", true).unwrap();

// Decrypt it
let plaintext = decrypt_bytes(&key.secret_key, &ciphertext, "password").unwrap();
assert_eq!(plaintext, b"Hello!");

Cipher Suites

The library supports multiple cipher suites:

Suite	Primary Key	Encryption Subkey	Speed
Cv25519 (default)	EdDSA Legacy	ECDH Curve25519	Fast
Cv25519Modern	Ed25519 (RFC 9580)	X25519	Fast
NistP256	ECDSA P-256	ECDH P-256	Fast
NistP384	ECDSA P-384	ECDH P-384	Fast
NistP521	ECDSA P-521	ECDH P-521	Fast
Rsa2k	RSA 2048-bit	RSA 2048-bit	Slow
Rsa4k	RSA 4096-bit	RSA 4096-bit	Very Slow

Features

• keystore: Enable SQLite-backed key storage (requires rusqlite)
• network: Enable network operations for fetching keys from keyservers

Design

This library uses a functional API - all operations are standalone functions that take certificate data as &[u8]. This provides maximum flexibility and avoids the overhead of wrapper types.

Re-exports

pub use keystore::decrypt_bytes_from_store;

pub use keystore::decrypt_file_from_store;

pub use keystore::encrypt_bytes_from_store;

pub use keystore::encrypt_bytes_to_multiple_from_store;

pub use keystore::encrypt_file_from_store;

pub use keystore::encrypt_file_to_multiple_from_store;

pub use keystore::sign_bytes_detached_from_store;

pub use keystore::sign_bytes_from_store;

pub use keystore::sign_file_detached_from_store;

pub use keystore::sign_file_from_store;

pub use keystore::verify_bytes_detached_from_store;

pub use keystore::verify_bytes_from_store;

pub use keystore::verify_file_detached_from_store;

pub use keystore::verify_file_from_store;

pub use keystore::KeyStore;

pub use pgp;

Modules

card

Smart card support for OpenPGP operations.

keystore

SQLite-backed key storage.

Structs

AvailableSubkey

Information about an available (valid, non-expired, non-revoked) subkey.

CertificateInfo

Parsed certificate information.

GeneratedKey

Result of key generation.

KeyCipherDetails

Detailed cipher information for a key component.

RsaPublicKey

RSA public key components for external verification.

SubkeyFlags

Flags indicating which subkeys to generate or operate on.

SubkeyInfo

Information about a subkey.

UIDCertification

Information about a certification on a User ID.

UserIDInfo

Information about a User ID on a certificate.

Enums

CertificationType

Certification types for key signing.

CipherSuite

Cipher suite options for key generation.

Error

The main error type for wecanencrypt operations.

KeyType

The type/purpose of a key.

SigningPublicKey

Public key for signing verification (algorithm-specific).

SshHashAlgorithm

Hash algorithm for SSH signing operations.

SshSignResult

The algorithm and raw signature bytes from an SSH signing operation.

Functions

add_uid

Add a new User ID to a certificate.

bytes_encrypted_for

Get the key IDs that a message was encrypted for.

certify_key

Certify another key with this key (key signing).

create_key

Generate a new OpenPGP key pair.

create_key_simple

Generate a key with default settings (Cv25519, all subkeys).

decrypt_bytes

Decrypt bytes using a secret key.

decrypt_bytes_legacy

Decrypt bytes, allowing legacy SED (no integrity protection) messages.

decrypt_file

Decrypt a file using a secret key.

decrypt_reader_to_file

Decrypt data from a reader to a file.

encrypt_bytes

Encrypt bytes to a single recipient.

encrypt_bytes_to_multiple

Encrypt bytes to multiple recipients.

encrypt_file

Encrypt a file to a single recipient.

encrypt_file_to_multiple

Encrypt a file to multiple recipients.

encrypt_reader_to_file

Encrypt data from a reader to a file.

export_keyring_armored

Export multiple certificates to an armored keyring.

export_keyring_file

Export multiple certificates to a keyring file.

fetch_key_by_email

Fetch a key from Web Key Directory (WKD) by email address.

fetch_key_by_email_from_dane

Fetch an OpenPGP key via DNS DANE OPENPGPKEY record (RFC 7929).

fetch_key_by_email_from_keyserver

Fetch a key from a VKS keyserver by email address.

fetch_key_by_fingerprint

Fetch a key from an HKP keyserver by fingerprint.

fetch_key_by_keyid

Fetch a key from an HKP keyserver by key ID.

file_encrypted_for

Get the key IDs that a file was encrypted for.

get_all_available_subkeys

Get all available subkeys (valid, not expired, not revoked).

get_available_authentication_subkeys

Get available authentication subkeys (valid, not expired, not revoked).

get_available_encryption_subkeys

Get available encryption subkeys (valid, not expired, not revoked).

get_available_signing_subkeys

Get available signing subkeys (valid, not expired, not revoked).

get_key_cipher_details

Get cipher details for all keys in a certificate.

get_pub_key

Export the public key as ASCII armor.

get_signing_pubkey

Get signing public key components for external verification.

get_ssh_pubkey

Convert a certificate’s authentication key to SSH public key format.

has_available_encryption_subkey

Check if a certificate has any available encryption subkeys.

has_available_signing_subkey

Check if a certificate has any available signing subkeys.

merge_keys

Merge two certificates (e.g., adding new signatures).

parse_cert_bytes

Parse a certificate from bytes and extract its information.

parse_cert_file

Parse a certificate from a file and extract its information.

parse_keyring_bytes

Parse keyring data containing multiple certificates.

parse_keyring_file

Parse a keyring file containing multiple certificates.

revoke_key

Revoke the entire key.

revoke_uid

Revoke a User ID on a certificate.

sign_bytes

Sign bytes with a binary signature (wrapping the message).

sign_bytes_cleartext

Sign bytes with a cleartext signature.

sign_bytes_detached

Create a detached signature for bytes.

sign_file

Sign a file to an output file (binary signature).

sign_file_cleartext

Sign a file with cleartext signature.

sign_file_detached

Create a detached signature for a file.

ssh_sign_raw

Perform a raw SSH signature using a software authentication subkey.

update_password

Change the password on a secret key.

update_primary_expiry

Update the primary key expiration time.

update_subkeys_expiry

Update the expiration time for specific subkeys.

verify_and_extract_bytes

Verify and extract the original message from signed bytes.

verify_and_extract_file

Verify and extract a signed file to an output path.

verify_bytes

Verify a signed message (inline or cleartext signature).

verify_bytes_detached

Verify a detached signature on bytes.

verify_file

Verify a signed file.

verify_file_detached

Verify a detached signature on a file.

Type Aliases

Result

A specialized Result type for wecanencrypt operations.