Lib.rs

Cryptographytink
#hybrid #tink #public-key

tink-hybrid

Hybrid encryption functionality for Rust port of Google's Tink cryptography library

by David Drysdale and 2 contributors

4 releases

0.3.0 Nov 28, 2024
0.2.5 Mar 14, 2023
0.2.4 Mar 25, 2022
0.2.3 Jan 3, 2022

#1824 in Cryptography

Download history 51/week @ 2024-09-29 67/week @ 2024-10-06 34/week @ 2024-10-13 25/week @ 2024-10-20 42/week @ 2024-10-27 17/week @ 2024-11-03 196/week @ 2024-11-24 34/week @ 2024-12-01 50/week @ 2024-12-08 2/week @ 2024-12-15

443 downloads per month
Used in rinkey

Apache-2.0

300KB
5K SLoC

Tink-Rust: Hybrid Encryption

Docs MSRV

This crate provides hybrid encryption functionality, as described in the upstream Tink documentation.

Usage

fn main() -> Result<(), Box<dyn Error>> {
    tink_hybrid::init();
    let kh_priv = tink_core::keyset::Handle::new(
        &tink_hybrid::ecies_hkdf_aes128_ctr_hmac_sha256_key_template(),
    )?;

    // NOTE: save the private keyset to a safe location. DO NOT hardcode it in source code.
    // Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault.  See
    // https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets.

    let kh_pub = kh_priv.public()?;

    // NOTE: share the public keyset with the sender.

    let enc = tink_hybrid::new_encrypt(&kh_pub)?;

    let msg = b"this data needs to be encrypted";
    let encryption_context = b"encryption context";
    let ct = enc.encrypt(msg, encryption_context)?;

    let dec = tink_hybrid::new_decrypt(&kh_priv)?;

    let pt = dec.decrypt(&ct, encryption_context)?;
    assert_eq!(msg[..], pt);

    println!("Ciphertext: {}\n", hex::encode(&ct));
    println!("Original  plaintext: {}\n", String::from_utf8_lossy(msg));
    println!("Decrypted plaintext: {}\n", String::from_utf8_lossy(&pt));
    Ok(())
}

License

Apache License, Version 2.0

Disclaimer

This is not an officially supported Google product.

Dependencies

~3–5MB
~91K SLoC