#cryptography #tink #kms #aws

tink-awskms

AWS-KMS integration for Rust port of Google’s Tink cryptography library

7 releases

0.2.4 Mar 25, 2022
0.2.3 Jan 3, 2022
0.2.1 Oct 8, 2021
0.2.0 May 24, 2021
0.1.0 Jan 21, 2021

#520 in Cryptography

32 downloads per month
Used in rinkey

Apache-2.0

125KB
1.5K SLoC

Tink-Rust: AWS-KMS integration

Docs MSRV

This crate provides functionality for integrating Tink with AWS KMS.

Usage

fn main() -> Result<(), Box<dyn Error>> {
    tink_aead::init();

    // Generate a new key.
    let kh1 = tink_core::keyset::Handle::new(&tink_aead::aes256_gcm_key_template())?;

    // Set up the main key-encryption key at a KMS. This is an AEAD which will generate a new
    // data-encryption key (DEK) for each encryption operation; the DEK is included in the
    // ciphertext emitted from the encryption operation, in encrypted form (encrypted by the
    // KMS main key).
    let kms_client =
        tink_awskms::AwsClient::new_with_credentials(KEY_URI, &PathBuf::from(CRED_INI_FILE))?;
    let backend = kms_client.get_aead(KEY_URI)?;
    let main_key = Box::new(tink_aead::KmsEnvelopeAead::new(
        tink_aead::aes256_gcm_key_template(),
        backend,
    ));

    // The `keyset::Reader` and `keyset::Writer` traits allow for reading/writing a keyset to
    // some kind of store; this particular implementation just holds the keyset in memory.
    let mut mem_keyset = tink_core::keyset::MemReaderWriter::default();

    // The `Handle::write` method encrypts the keyset that is associated with the handle, using the
    // given AEAD (`main_key`), and then writes the encrypted keyset to the `keyset::Writer`
    // implementation (`mem_keyset`).  We recommend you encrypt the keyset handle before
    // persisting it.
    kh1.write(&mut mem_keyset, main_key.box_clone())?;
    println!("Encrypted keyset: {:?}", mem_keyset.encrypted_keyset);

    // The `Handle::read` method reads the encrypted keyset back from the `keyset::Reader`
    // implementation and decrypts it using the AEAD used to encrypt it (`main_key`), giving a
    // handle to the recovered keyset.
    let kh2 = tink_core::keyset::Handle::read(&mut mem_keyset, main_key)?;

    assert_eq!(
        insecure::keyset_material(&kh1),
        insecure::keyset_material(&kh2)
    );
    println!("Key handles are equal.");
    Ok(())
}

License

Apache License, Version 2.0

Disclaimer

This is not an officially supported Google product.

Dependencies

~13–20MB
~350K SLoC