#aws-kms #max #envelope-encryption


A very simple envelope encryption library using aes-gcm

4 releases (breaking)

0.8.0 Jan 23, 2023
0.7.0 Dec 28, 2022
0.6.2 Dec 29, 2022
0.6.1 Nov 30, 2022
0.3.0 Jun 27, 2022

#614 in Cryptography

Download history 57/week @ 2023-06-02 38/week @ 2023-06-09 62/week @ 2023-06-16 53/week @ 2023-06-23 40/week @ 2023-06-30 15/week @ 2023-07-07 22/week @ 2023-07-14 19/week @ 2023-07-21 11/week @ 2023-07-28 8/week @ 2023-08-04 7/week @ 2023-08-11 28/week @ 2023-08-18 29/week @ 2023-08-25 49/week @ 2023-09-01 83/week @ 2023-09-08 18/week @ 2023-09-15

181 downloads per month
Used in 2 crates (via cipherstash-client)

Custom license

1.5K SLoC


Very simple envelope encryption library in Rust using aes-gcm and a KeyProvider trait. KeyProviders can be implemented for AWS KMS, Azure KeyVault, Hashicorp Vault etc but this library just comes with a SimpleKeyProvider that can be used with a local key.

NOTE: This library is very alpha and not yet suitable for production use


AWS Key Management Service

In order to run the AWS KMS examples you need to ensure the correct environment variables or config options are set to connect to your AWS account.

Follow the AWS getting started docs for help.

Need help?

Head over to our support forum, and we'll get back to you super quick!


envelope is a very simple, envelope encryption library that can use external key providers such as AWS KMS to encrypt data safely. It uses the concept of data-keys to encrypt messages but these data keys are themselves encrypted by a Key-Encryption-Key (or KEK, sometimes also called Customer Master Key) with the resulting ciphertext stored with the encrypted data (the "wrapped" data-key).


NOTE: This is Alpha software and should not be used in production

Encrypt a message with a local Key Provider

The SimpleKeyProvider allows envelope encryption to be used with a local key.

use envelopers::{
    Aes128Gcm, // or Aes256Gcm, Aes128GcmSiv, Aes256GcmSiv

use hex_literal::hex;
let kek: [u8; 16] = hex!("00010203 04050607 08090a0b 0c0d0e0f");
let key_provider: SimpleKeyProvider<Aes128Gcm> = SimpleKeyProvider::init(kek);

let cipher: EnvelopeCipher<_> = EnvelopeCipher::init(key_provider);
let er = cipher.encrypt(b"hey there monkey boy").await.unwrap();

Encoding a CipherText

let bytes = er.to_vec().unwrap();

Decrypting a CipherText

use envelopers::{Aes128Gcm, EnvelopeCipher, SimpleKeyProvider, EncryptedRecord};

let dec = EncryptedRecord::from_vec(bytes).unwrap();
let pt = cipher.decrypt(&dec).await.unwrap();

assert!(std::str::from_utf8(&pt).unwrap() == "hey there monkey boy");


~242K SLoC