Lib.rs

Cryptography
#store-key #encryption #secret #quantum #security #api #api-bindings

bin+lib locky

Key Management Service SDK. Locky stores and retrieves cryptographic secrets in the cloud

by Andrew R. Klitzke

1 unstable release

0.0.1 Feb 10, 2024

#22 in #store-key

MIT license

22KB
399 lines

🧩 Locky Rust SDK

Locky is a cloud-based key-management system focused on preventing harvest-now decrypt-later quantum attacks.

Standardized: Utilizes NIST-approved post-quantum cryptographic parameters and algorithms (FIPS-203)
Fast: Keys are retrieved in under 50ms
Secure: Root keys are 'split up'. If an entire datacenter's data were compromised, no keys would be exposed
Reliable: No downtime even facing a catastrophic datacenter loss
Flexible: Locky can be used to store keys for AES, ChaCha20, Ascon, and most other data encryption algorithms

Rust Docs

Locky Website

Locky Documentation

lib.rs:

Example

Retrieving a key from Locky

// Connect to Locky staging environment.
let mut client = LockyClient::new(LockyEnv::Staging)
    .with_creds(account_id, access_token);

// Securely get a secret from the cloud service
let key = client.get_key("test_db_key").await.unwrap();

// Use the secret to encrypt some data
let cipher = Aes256Gcm::new((&*key).into());

// Never send this key over a network. Even if the communication is encrypted,
// unless it specifially uses a post-quantum secure protocol (such as the one
// one used by Locky) it will vulnerable to harvest-now decrypt-later
// attacks.
drop(key);

Creating an account

let mut client = LockyClient::new(LockyEnv::Staging);

// Make an account in our staging environment
let account_id = client.create_account("cool-test-account@getloc.ky").await.unwrap();

// the access token needs to be stored securely, but it does not need
// to be stored in a quantum-secure manner. So however you currently
// manage secrets is probably fine!
let access_token = client.get_access_token().unwrap();

Creating a key

let mut client = LockyClient::new(LockyEnv::Staging).with_creds(account_id, access_token);

// Alternately, you can use our CLI or web interface to create a key
client.create_key("test_key").await.unwrap();

A Note On Staging

The staging environment is deleted every 24 hours. It is a test environment. Security is not guaranteed and any accounts, keys, or data you create will be lost. Do not store anything in staging besides ephemeral test data!

Dependencies

~7–15MB
~194K SLoC