#security #crypto #xchacha20 #aes #lz4

app encrypt-rs

Envelope encryption with secret-keepers

7 releases

0.3.7 Jul 24, 2020
0.3.6 Jul 18, 2020
0.3.0 Jun 30, 2020

#387 in Cryptography

Apache-2.0 OR MIT

2.5K SLoC

Command-line envelope encryption with secret-keeper

Encryption and decryption using Secret Keeper


cargo install encrypt-rs


  # Encrypt file
  $ encrypt enc -o OUT [ -k KEEPER ] [ -c CIPHER ] FILE

  # Decrypt file
  $ encrypt dec -o OUT [ -k KEEPER ] [ -c CIPHER ] FILE

  # View key envelope
  $ encrypt key view   [ -k KEEPER ] FILE

-k KEEPER options: (default: 'env:')

  • env: (EnvKeeper)
    • env: - passphrase for deriving key is in environment var VAULT_PASSWORD.
    • env:VARNAME - passphrase for deriving key is in environment variable VARNAME
     # example:
     export PASSWORD="my-super-secret-passphrase"
     encrypt enc -o FILE.enc -k env:PASSWORD FILE
  • prompt: (PromptKeeper)
    • user will be prompted on terminal for passphrase for deriving key
  • hashivault: (HashivaultKeeper)
    • key-encrypting-key is on hashivault transit server. See hashivault keeper doc for url syntax
    # example:
    encrypt enc -o FILE.enc -k hashivault://my_key FILE
  • cloudkms: (CloudKMSKeeper)
    # example:
    encrypt enc -o FILE.enc -k cloudkms:/PROJ/global/my_keyring/my_key FILE

-c CIPHER options: Default cipher is LZ4XChaCha20Poly1305, which combines LZ4 compression with XChaCha20-Poly1305. (Cipher algorithm implemented by RustCrypto

  • XChaCha20Poly1305 (aliases: xchacha20, xchacha20poly1305)
  • LZ4XChaCha20Poly1305 (aliases: lz4, lz4xchacha20, lz4xchacha20poly1305)
  • AesGcm256 (aliases: aes, aesgcm, aesgcm256)

There are some additional usage examples in the test* shell scripts.

Random number generation

File nonces and keys are generated with the platform's OS CSRNG, using the rand crate.


~349K SLoC