Student Key Manager Show Image Show Image Show Image Show Image A secure, production-ready Rust library for managing student data anonymization keys in educational applications. Provides strong encryption, secure key distribution, and automatic re-keying when student data changes. 🔐 Features

Strong Encryption: AES-256-GCM with Argon2 key derivation Secure Key Distribution: Time-limited download tokens with access controls Automatic Re-keying: Detects when student data changes and prompts for new keys Database Integration: Full PostgreSQL support with migration scripts Audit Logging: Complete access logs for compliance requirements Password Validation: Enforces strong password requirements Data Integrity: SHA-256 hashing with automatic verification Multiple Distribution Methods: Encrypted downloads, email delivery, split keys

🚀 Quick Start Basic Usage (Standalone) rustuse student_key_manager::prelude::*; use chrono::Utc;

// Create encryption service let encryption_service = EncryptionService::new();

// Prepare student data let mapping_data = MappingData { students: vec![ StudentMapping { original_id: 1, anonymized_id: 100001, firstname: "John".to_string(), lastname: "Doe".to_string(), pin: 1234, }, ], created_at: Utc::now(), user_id: 1, key_version: 1, };

// Encrypt with user's password let password = "SecurePassword123!"; let encrypted = encryption_service .encrypt_mapping_data(&mapping_data, password) .expect("Encryption failed");

println!("✓ Data encrypted: {} bytes", encrypted.encrypted_data.len());

// Decrypt when needed let decrypted = encryption_service .decrypt_mapping_data(&encrypted.encrypted_data, password) .expect("Decryption failed");

println!("✓ Recovered {} students", decrypted.students.len()); With Database Integration rustuse student_key_manager::prelude::*; use sqlx::PgPool;

#[tokio::main] async fn main() -> Result<(), Box> { // Connect to database let pool = PgPool::connect("postgresql://user:pass@localhost/db").await?;

// Create key management service
let key_manager = KeyManagementService::new(
    pool, 
    "https://your-app.com".to_string()
);

// Check if user needs new key
let status = key_manager.check_rekey_status(user_id).await?;

if status.needs_rekey {
    println!("Reason: {}", status.reason);
    
    // Generate new key with download link
    let config = KeyGenerationConfig::default();
    let result = key_manager
        .generate_new_key(user_id, user_password, config)
        .await?;
    
    if let Some(url) = result.distribution_result.download_url {
        println!("Download your key: {}", url);
    }
}

Ok(())

} 📦 Installation Add to your Cargo.toml: toml[dependencies]

For encryption only

student-key-manager = { version = "0.1", default-features = false, features = ["standalone"] }

For full database integration

student-key-manager = "0.1"

For async web applications

student-key-manager = { version = "0.1", features = ["database"] } tokio = { version = "1.0", features = ["full"] } sqlx = { version = "0.7", features = ["postgres", "chrono", "runtime-tokio-native-tls"] } 🗄️ Database Setup

1. Apply the Schema sql-- Copy from migrations/student_key_management.sql CREATE TABLE anonymization_keys ( id SERIAL PRIMARY KEY, user_id INTEGER NOT NULL, key_version INTEGER NOT NULL DEFAULT 1, encryption_salt VARCHAR(255) NOT NULL, encrypted_mapping_data TEXT NOT NULL, data_hash VARCHAR(255) NOT NULL, students_count INTEGER NOT NULL, created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), expires_at TIMESTAMP WITH TIME ZONE NULL, is_active BOOLEAN DEFAULT true, UNIQUE(user_id, key_version) );

-- See full schema in repository

2. Using SQLx Migrations bash# Install sqlx-cli cargo install sqlx-cli

Run migrations

sqlx migrate run --database-url="postgresql://user:pass@localhost/db" 🔧 Configuration Key Generation Options rustlet config = KeyGenerationConfig { create_download_link: true, // Generate secure download URL download_expiry_hours: 24, // Link expires in 24 hours
max_downloads: 3, // Allow 3 downloads max key_expiry_days: 30, // Key expires in 30 days }; Password Requirements

Minimum 8 characters At least one uppercase letter At least one lowercase letter At least one digit Custom validation available

🏗️ Architecture ┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ │ Your App │ │ Student Key │ │ PostgreSQL │ │ │ │ Manager │ │ │ │ ┌─────────────┐ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │ │ │ Actix-Web │ │◄──►│ │ KeyManagement│ │◄──►│ │ Encrypted │ │ │ │ Handlers │ │ │ │ Service │ │ │ │ Keys │ │ │ └─────────────┘ │ │ └──────────────┘ │ │ └─────────────┘ │ │ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │ │ Encryption │ │ │ │ Access │ │ │ │ Student │ │ │ │ Service │ │ │ │ Logs │ │ │ │ Data │ │ │ └──────────────┘ │ │ └─────────────┘ │ │ └─────────────┘ │ └──────────────────┘ └─────────────────┘ └─────────────────┘ 🛡️ Security Features Encryption Details

Algorithm: AES-256-GCM (authenticated encryption) Key Derivation: Argon2 with random salts Integrity: SHA-256 hashing with verification Randomness: Cryptographically secure random number generation

Access Controls

Time-limited download tokens Maximum download limits IP address logging Comprehensive audit trails Automatic key expiration

Data Protection

No plaintext storage of sensitive data Secure memory handling Protection against timing attacks Forward secrecy with key rotation

📊 API Reference Core Types rust// Student mapping between original and anonymized IDs pub struct StudentMapping { pub original_id: i32, pub anonymized_id: i32, pub firstname: String, pub lastname: String, pub pin: i32, }

// Complete mapping data for encryption pub struct MappingData { pub students: Vec, pub created_at: DateTime, pub user_id: i32, pub key_version: i32, }

// Key generation configuration pub struct KeyGenerationConfig { pub create_download_link: bool, pub download_expiry_hours: i64, pub max_downloads: i32, pub key_expiry_days: i64, } Main Services rust// Encryption service for standalone use impl EncryptionService { pub fn encrypt_mapping_data(&self, data: &MappingData, password: &str) -> Result; pub fn decrypt_mapping_data(&self, encrypted: &str, password: &str) -> Result; pub fn verify_data_integrity(&self, data: &MappingData, hash: &str) -> Result; pub fn validate_password_strength(&self, password: &str) -> Result<()>; }

// Full key management with database impl KeyManagementService { pub async fn check_rekey_status(&self, user_id: i32) -> Result; pub async fn generate_new_key(&self, user_id: i32, password: &str, config: KeyGenerationConfig) -> Result; pub async fn download_key(&self, token: &str, client_ip: Option) -> Result; pub async fn validate_key(&self, user_id: i32, encrypted: &str, password: &str) -> Result; } 🧪 Testing bash# Unit tests (no database required) cargo test --features standalone

Integration tests

cargo test --test integration_tests

Database tests (requires PostgreSQL)

export TEST_DATABASE_URL="postgresql://user:pass@localhost/test_db" cargo test --features database -- --ignored

Performance tests

cargo test test_performance_with_large_dataset -- --nocapture 📈 Performance Benchmarks on a modern laptop:

1,000 students: ~50ms encryption, ~30ms decryption 5,000 students: ~200ms encryption, ~150ms decryption Memory usage: ~2MB for 10,000 students Database operations: ~10ms average query time

🤝 Integration Examples Actix-Web Handler rustuse actix_web::{web, HttpResponse, Result}; use student_key_manager::prelude::*;

pub async fn generate_key( pool: web::Data, user: AuthenticatedUser, req: web::Json, ) -> Result { let key_manager = KeyManagementService::new( pool.get_ref().clone(), env::var("BASE_URL").unwrap_or_default() );

let config = KeyGenerationConfig::default();

match key_manager.generate_new_key(user.id, &req.password, config).await {
    Ok(result) => Ok(HttpResponse::Ok().json(result)),
    Err(e) => Ok(HttpResponse::BadRequest().json(format!("Error: {}", e))),
}

} Background Cleanup Task rustuse tokio::time::{interval, Duration};

async fn cleanup_expired_keys(key_manager: KeyManagementService) { let mut interval = interval(Duration::from_secs(3600)); // Every hour

loop {
    interval.tick().await;
    
    match key_manager.cleanup_expired().await {
        Ok(count) => log::info!("Cleaned up {} expired download tokens", count),
        Err(e) => log::error!("Cleanup failed: {}", e),
    }
}

} 📝 License This project is licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0) MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option. 🤝 Contributing Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change. Development Setup bashgit clone https://github.com/yourusername/student-key-manager.git cd student-key-manager cargo test --features standalone 🆘 Support

📖 Documentation 🐛 Issue Tracker 💬 Discussions

🔄 Changelog v0.1.0 (Initial Release)

✅ AES-256-GCM encryption with Argon2 key derivation ✅ PostgreSQL database integration ✅ Secure download token system ✅ Automatic re-keying detection ✅ Comprehensive audit logging ✅ Password strength validation ✅ Data integrity verification