pub trait EncryptionProvider: Send + Sync {
// Required methods
fn encrypt_stream<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
Self: 'async_trait;
fn decrypt_stream<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
header_bytes: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<(), EncryptionError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
Self: 'async_trait;
fn rekey_header<'life0, 'life1, 'async_trait>(
&'life0 self,
header_bytes: &'life1 [u8],
) -> Pin<Box<dyn Future<Output = Result<Option<Vec<u8>>, EncryptionError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
}Expand description
Encryption provider — abstracts the encryption operations needed
by EncryptedBlobStore.
This trait allows the blob store to work with any encryption backend that supports detached-header stream encryption.
For full documentation see the Encryption guide.
§Example (custom provider)
use async_trait::async_trait;
use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt, AsyncReadExt};
use xtax_encryption::{EncryptionProvider, EncryptionResult};
struct NoopEncryption;
#[async_trait]
impl EncryptionProvider for NoopEncryption {
async fn encrypt_stream(
&self,
input: &mut (dyn AsyncRead + Send + Unpin),
output: &mut (dyn AsyncWrite + Send + Unpin),
) -> EncryptionResult<Vec<u8>> {
let mut buf = Vec::new();
input.read_to_end(&mut buf).await.unwrap();
output.write_all(&buf).await.unwrap();
Ok(vec![])
}
async fn decrypt_stream(
&self,
input: &mut (dyn AsyncRead + Send + Unpin),
output: &mut (dyn AsyncWrite + Send + Unpin),
_header_bytes: &[u8],
) -> EncryptionResult<()> {
let mut buf = Vec::new();
input.read_to_end(&mut buf).await.unwrap();
output.write_all(&buf).await.unwrap();
Ok(())
}
async fn rekey_header(&self, _header_bytes: &[u8]) -> EncryptionResult<Option<Vec<u8>>> {
Ok(None)
}
}Encryption provider — abstracts the encryption operations needed by encrypted storage layers.
This trait allows any crate to work with a pluggable encryption backend that supports detached-header stream encryption.
§Implementations
- Must be
Send+Sync(required by async storage layers). - The
encrypt_streammethod must flush the output stream before returning. - The returned header bytes are stored separately from the encrypted data
and later passed back to
decrypt_stream.
Required Methods§
Sourcefn encrypt_stream<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
Self: 'async_trait,
fn encrypt_stream<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
Self: 'async_trait,
Encrypt data from input and write the encrypted stream to output.
Returns the serialisable encryption header that must be stored alongside the data (e.g. as a separate blob).
Sourcefn decrypt_stream<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
header_bytes: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<(), EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
Self: 'async_trait,
fn decrypt_stream<'life0, 'life1, 'life2, 'life3, 'async_trait>(
&'life0 self,
input: &'life1 mut (dyn AsyncRead + Unpin + Send),
output: &'life2 mut (dyn AsyncWrite + Unpin + Send),
header_bytes: &'life3 [u8],
) -> Pin<Box<dyn Future<Output = Result<(), EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
'life3: 'async_trait,
Self: 'async_trait,
Decrypt data from input using the previously stored header_bytes
and write plaintext to output.
Sourcefn rekey_header<'life0, 'life1, 'async_trait>(
&'life0 self,
header_bytes: &'life1 [u8],
) -> Pin<Box<dyn Future<Output = Result<Option<Vec<u8>>, EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn rekey_header<'life0, 'life1, 'async_trait>(
&'life0 self,
header_bytes: &'life1 [u8],
) -> Pin<Box<dyn Future<Output = Result<Option<Vec<u8>>, EncryptionError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Try to re-key (re-wrap) an existing encryption header with the current master key.
- Returns
Noneif the header is already using the current key. - Returns
Some(new_header_bytes)if the header was re-wrapped.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".