6 releases (3 breaking)

0.8.2 Jan 9, 2024
0.8.1 Nov 6, 2023
0.8.0 Jan 23, 2023
0.7.0 Dec 28, 2022
0.3.0 Jun 27, 2022

#987 in Cryptography

Download history 60/week @ 2023-11-21 26/week @ 2023-11-28 23/week @ 2023-12-05 7/week @ 2024-01-09 31/week @ 2024-02-20 38/week @ 2024-02-27

69 downloads per month
Used in 2 crates (via cipherstash-client)

Custom license

65KB
1.5K SLoC

Envelopers

Very simple envelope encryption library in Rust using aes-gcm and a KeyProvider trait. KeyProviders can be implemented for AWS KMS, Azure KeyVault, Hashicorp Vault etc but this library just comes with a SimpleKeyProvider that can be used with a local key.

NOTE: This library is very alpha and not yet suitable for production use

Examples

AWS Key Management Service

In order to run the AWS KMS examples you need to ensure the correct environment variables or config options are set to connect to your AWS account.

Follow the AWS getting started docs for help.

Need help?

Head over to our support forum, and we'll get back to you super quick!


lib.rs:

envelope is a very simple, envelope encryption library that can use external key providers such as AWS KMS to encrypt data safely. It uses the concept of data-keys to encrypt messages but these data keys are themselves encrypted by a Key-Encryption-Key (or KEK, sometimes also called Customer Master Key) with the resulting ciphertext stored with the encrypted data (the "wrapped" data-key).

Usage

NOTE: This is Alpha software and should not be used in production

Encrypt a message with a local Key Provider

The SimpleKeyProvider allows envelope encryption to be used with a local key.

use envelopers::{
    Aes128Gcm, // or Aes256Gcm, Aes128GcmSiv, Aes256GcmSiv
    EnvelopeCipher,
    SimpleKeyProvider,
};

#
use hex_literal::hex;
let kek: [u8; 16] = hex!("00010203 04050607 08090a0b 0c0d0e0f");
let key_provider: SimpleKeyProvider<Aes128Gcm> = SimpleKeyProvider::init(kek);

let cipher: EnvelopeCipher<_> = EnvelopeCipher::init(key_provider);
let er = cipher.encrypt(b"hey there monkey boy").await.unwrap();
#

Encoding a CipherText

#
#
#
#
#
let bytes = er.to_vec().unwrap();
hex::encode(&bytes);

Decrypting a CipherText

use envelopers::{Aes128Gcm, EnvelopeCipher, SimpleKeyProvider, EncryptedRecord};

#
#
#
#
let dec = EncryptedRecord::from_vec(bytes).unwrap();
let pt = cipher.decrypt(&dec).await.unwrap();

assert!(std::str::from_utf8(&pt).unwrap() == "hey there monkey boy");
#

Dependencies

~9–13MB
~229K SLoC