sifredb-key-file
| Crates.io | sifredb-key-file |
| lib.rs | sifredb-key-file |
| version | 0.1.1 |
| created_at | 2025-11-13 06:43:21.635509+00 |
| updated_at | 2025-11-14 00:45:20.803015+00 |
| description | File-based key provider for SifreDB |
| homepage | |
| repository | https://github.com/Tuntii/sifredb |
| max_upload_size | |
| id | 1930509 |
| size | 28,359 |
Tunay (Tuntii)
documentation
README
sifredb-key-file
File-based key provider for SifreDB.
Features
- 🔐 Secure file-based key storage
- 🔑 Key encryption at rest
- 📁 Hierarchical key organization
- 🔄 Key rotation support
- 🏢 Multi-tenant key isolation
Installation
Add this to your Cargo.toml:
[dependencies]
sifredb = "0.1"
sifredb-key-file = "0.1"
Usage
Initialize Key Directory
use sifredb_key_file::FileKeyProvider;
use std::path::Path;
// Initialize a new key directory
let key_dir = Path::new("./keys");
FileKeyProvider::init(key_dir)?;
Create Provider
use sifredb_key_file::FileKeyProvider;
let provider = FileKeyProvider::new("./keys")?;
Use with SifreDB Vault
use sifredb::prelude::*;
use sifredb_key_file::FileKeyProvider;
let provider = FileKeyProvider::new("./keys")?;
let vault = DeterministicVault::with_provider(provider);
let context = EncryptionContext::new("users", "email");
let ciphertext = vault.encrypt(b"alice@example.com", &context)?;
Key Storage Structure
Keys are stored in a hierarchical directory structure:
./keys/
├── tenant_a/
│ ├── users_email_v1.key
│ └── orders_total_v1.key
└── tenant_b/
└── users_email_v1.key
Security Considerations
- Key Protection: Keys are encrypted at rest using ChaCha20-Poly1305
- File Permissions: Ensure key directory has restricted access (600/700)
- Backup Strategy: Implement secure key backup procedures
- Key Rotation: Regularly rotate keys and maintain old versions for decryption
- Production Use: Consider using a KMS for production environments
Key Rotation
use sifredb::prelude::*;
use sifredb_key_file::FileKeyProvider;
let provider = FileKeyProvider::new("./keys")?;
// Old context with version 1
let old_context = EncryptionContext::new("users", "email")
.with_tenant("tenant_a")
.with_version(1);
// New context with version 2
let new_context = old_context.clone().with_version(2);
// Decrypt with old key, re-encrypt with new key
let plaintext = vault.decrypt(&old_ciphertext, &old_context)?;
let new_ciphertext = vault.encrypt(&plaintext, &new_context)?;
Best Practices
- Restrict Access: Use file system permissions to protect keys
- Regular Backups: Backup keys securely and separately
- Key Versioning: Use version numbers for smooth rotation
- Testing: Test key rotation procedures regularly
- Monitoring: Monitor key file access and modifications
Limitations
- Not suitable for high-throughput scenarios (use KMS instead)
- Requires file system access
- No built-in key distribution mechanism
- Single-node only (no automatic replication)
Alternative Providers
For production environments, consider:
- sifredb-kms-aws: AWS KMS integration
- Custom providers implementing the
KeyProvidertrait
Related Crates
- sifredb: Core encryption library
- sifredb-kms-aws: AWS KMS integration
- sifredb-cli: Command-line tool
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT License (LICENSE-MIT)
at your option.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.