#encryption #encryption-key #envelope #aws-kms #aes-gcm #provider #ciphertext

yanked enveloper

A very simple envelope encryption library using aes-gcm

0.2.0 May 26, 2022

#8 in #ciphertext

GPL-3.0 license

31KB
713 lines

Enveloper

Very simple envelope encryption library in Rust using aes-gcm and a KeyProvider trait. KeyProviders can be implemented for AWS KMS, Azure KeyVault, Hashicorp Vault etc but this library just comes with a SimpleKeyProvider that can be used with a local key.

NOTE: This library is very alpha and not yet suitable for production use


lib.rs:

envelope is a very simple, envelope encryption library that can use external key providers such as AWS KMS to encrypt data safely. It uses the concept of data-keys to encrypt messages but these data keys are themselves encrypted by a Key-Encryption-Key (or KEK, sometimes also called Customer Master Key) with the resulting ciphertext stored with the encrypted data (the "wrapped" data-key).

Usage

NOTE: This is Alpha software and should not be used in production

Encrypt a message with a local Key Provider

The SimpleKeyProvider allows envelope encryption to be used with a local key.

use enveloper::{EnvelopeCipher, SimpleKeyProvider};

#
use hex_literal::hex;
let kek: [u8; 16] = hex!("00010203 04050607 08090a0b 0c0d0e0f");
let key_provider = SimpleKeyProvider::init(kek);

let cipher: EnvelopeCipher<SimpleKeyProvider> = EnvelopeCipher::init(key_provider);
let er = cipher.encrypt(b"hey there monkey boy").await.unwrap();
#

Encoding a CipherText

#
#
#
#
let bytes = er.to_vec().unwrap();
hex::encode(&bytes);

Decrypting a CipherText

use enveloper::{EnvelopeCipher, SimpleKeyProvider, EncryptedRecord};

#
#
#
#
let dec = EncryptedRecord::from_vec(bytes).unwrap();
let pt = cipher.decrypt(&dec).await.unwrap();

assert!(std::str::from_utf8(&pt).unwrap() == "hey there monkey boy");
#

Dependencies

~23–33MB
~560K SLoC