#hybrid #tink #public-key

tink-hybrid

Hybrid encryption functionality for Rust port of Google's Tink cryptography library

4 releases

0.3.0 Nov 28, 2024
0.2.5 Mar 14, 2023
0.2.4 Mar 25, 2022
0.2.3 Jan 3, 2022

#1828 in Cryptography

Download history 128/week @ 2024-09-17 166/week @ 2024-09-24 33/week @ 2024-10-01 88/week @ 2024-10-08 11/week @ 2024-10-15 36/week @ 2024-10-22 31/week @ 2024-10-29 15/week @ 2024-11-05 8/week @ 2024-11-19 200/week @ 2024-11-26 26/week @ 2024-12-03 48/week @ 2024-12-10

51 downloads per month
Used in rinkey

Apache-2.0

300KB
5K SLoC

Tink-Rust: Hybrid Encryption

Docs MSRV

This crate provides hybrid encryption functionality, as described in the upstream Tink documentation.

Usage

fn main() -> Result<(), Box<dyn Error>> {
    tink_hybrid::init();
    let kh_priv = tink_core::keyset::Handle::new(
        &tink_hybrid::ecies_hkdf_aes128_ctr_hmac_sha256_key_template(),
    )?;

    // NOTE: save the private keyset to a safe location. DO NOT hardcode it in source code.
    // Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault.  See
    // https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets.

    let kh_pub = kh_priv.public()?;

    // NOTE: share the public keyset with the sender.

    let enc = tink_hybrid::new_encrypt(&kh_pub)?;

    let msg = b"this data needs to be encrypted";
    let encryption_context = b"encryption context";
    let ct = enc.encrypt(msg, encryption_context)?;

    let dec = tink_hybrid::new_decrypt(&kh_priv)?;

    let pt = dec.decrypt(&ct, encryption_context)?;
    assert_eq!(msg[..], pt);

    println!("Ciphertext: {}\n", hex::encode(&ct));
    println!("Original  plaintext: {}\n", String::from_utf8_lossy(msg));
    println!("Decrypted plaintext: {}\n", String::from_utf8_lossy(&pt));
    Ok(())
}

License

Apache License, Version 2.0

Disclaimer

This is not an officially supported Google product.

Dependencies

~2.9–5MB
~88K SLoC