Lib.rs

Cryptography
#encryption-key #encryption #azure #aws #security #aws-kms #hyok

hyokashi

A Rust library implementing Hold Your Own Key (HYOK) encryption patterns with support for multiple cloud providers

Owned by Coolroo.

1 unstable release

new 0.1.12 Mar 10, 2025

#457 in Cryptography

MIT license

430KB
1.5K SLoC

Hyokashi

Hyokashi is a Rust library that implements Hold Your Own Key (HYOK) encryption patterns, supporting multiple cloud providers and custom implementations. It provides a flexible and secure way to manage data encryption keys (DEKs) while maintaining control over your encryption strategy.

Features

  • 🔐 Multiple Cloud Provider Support
    • AWS KMS & Secrets Manager
    • Azure Key Vault
    • Custom implementation support
  • 🚀 Flexible encryption strategies
  • 📦 Built-in caching support
  • ⚡ Async/await support
  • 🛠️ Customizable key generation

Installation

Add this to your Cargo.toml:

[dependencies]
hyokashi = "0.1.0"

To enable cloud provider support, use feature flags:

[dependencies]
hyokashi = { version = "0.1.0", features = ["aws", "azure"] }

Usage

AWS Example

use hyokashi::HYOKServiceBuilder;
use hyokashi::encryption::aes_gcm::{AesGcm256Strategy, AesGcmEncryptionData};

async fn encrypt_with_aws() {
    let config = aws_config::load_defaults(BehaviorVersion::latest()).await;
    
    let builder = HYOKServiceBuilder::new()
        .with_aws_cmk(
            aws_sdk_kms::Client::new(&config),
            "your-key-name",
            EncryptionAlgorithmSpec::RsaesOaepSha256
        )
        .with_aws_persistence(aws_sdk_secretsmanager::Client::new(&config))
        .with_moka_cache(10000, Duration::from_secs(60), Duration::from_secs(300))
        .with_fixed_length_generator(32);

    let hyok_service = builder.build(AesGcm256Strategy).unwrap();

    // Encrypt data
    let encryption_data = AesGcmEncryptionData { 
        aad: [1; 16], 
        nonce: hyokashi::encryption::aes_gcm::generate_nonce().unwrap() 
    };
    
    let held_value = hyok_service
        .hold_value(data, "my-scope".to_string(), encryption_data)
        .await?;
}

Azure Example

use hyokashi::HYOKServiceBuilder;
use azure_security_keyvault::prelude::*;

async fn encrypt_with_azure() {
    let creds = azure_identity::create_specific_credential().unwrap();
    let keyvault_client = KeyvaultClient::new("your-keyvault-url", creds).unwrap();

    let builder = HYOKServiceBuilder::new()
        .with_azure_cmk(
            "your-key-name",
            CryptographParamtersEncryption::Rsa(RsaEncryptionParameters {
                algorithm: EncryptionAlgorithm::RsaOaep256,
            }),
            keyvault_client.clone()
        )
        .with_azure_persistence(keyvault_client)
        .with_moka_cache(10000, Duration::from_secs(60), Duration::from_secs(300))
        .with_fixed_length_generator(32);

    let hyok_service = builder.build(AesGcm256Strategy).unwrap();
}

Custom Implementation

The library supports custom implementations for all components:

let hyok_service = HYOKServiceBuilder::new()
    .with_fixed_length_generator(32)
    .with_custom_cache(get_fn, set_fn)
    .with_custom_cmk(encrypt_fn, decrypt_fn)
    .with_custom_persistence(persist_fn, fetch_fn)
    .build(your_custom_strategy)
    .unwrap();

Configuration

Key Generation Options

  • Fixed Length Generator: Generate keys of a specific length
  • Custom Generator: Implement your own key generation logic

Caching Options

  • Built-in Moka cache support
  • Custom cache implementation support

Encryption Strategies

  • AES-GCM 256
  • Custom encryption strategy support

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Dependencies

~8–20MB
~267K SLoC