tink-awskms
| Crates.io | tink-awskms |
| lib.rs | tink-awskms |
| version | 0.2.5 |
| source | src |
| created_at | 2021-01-21 11:19:33.779559 |
| updated_at | 2023-03-14 07:54:26.993206 |
| description | AWS-KMS integration for Rust port of Google's Tink cryptography library |
| homepage | |
| repository | https://github.com/project-oak/tink-rust |
| max_upload_size | |
| id | 344850 |
| size | 18,955 |
(conradgrobler)
documentation
https://docs.rs/tink-awskms
README
Tink-Rust: AWS-KMS integration
This crate provides functionality for integrating Tink with AWS KMS.
Usage
fn main() -> Result<(), Box<dyn Error>> {
tink_aead::init();
// Generate a new key.
let kh1 = tink_core::keyset::Handle::new(&tink_aead::aes256_gcm_key_template())?;
// Set up the main key-encryption key at a KMS. This is an AEAD which will generate a new
// data-encryption key (DEK) for each encryption operation; the DEK is included in the
// ciphertext emitted from the encryption operation, in encrypted form (encrypted by the
// KMS main key).
let kms_client =
tink_awskms::AwsClient::new_with_credentials(KEY_URI, &PathBuf::from(CRED_INI_FILE))?;
let backend = kms_client.get_aead(KEY_URI)?;
let main_key = Box::new(tink_aead::KmsEnvelopeAead::new(
tink_aead::aes256_gcm_key_template(),
backend,
));
// The `keyset::Reader` and `keyset::Writer` traits allow for reading/writing a keyset to
// some kind of store; this particular implementation just holds the keyset in memory.
let mut mem_keyset = tink_core::keyset::MemReaderWriter::default();
// The `Handle::write` method encrypts the keyset that is associated with the handle, using the
// given AEAD (`main_key`), and then writes the encrypted keyset to the `keyset::Writer`
// implementation (`mem_keyset`). We recommend you encrypt the keyset handle before
// persisting it.
kh1.write(&mut mem_keyset, main_key.box_clone())?;
println!("Encrypted keyset: {:?}", mem_keyset.encrypted_keyset);
// The `Handle::read` method reads the encrypted keyset back from the `keyset::Reader`
// implementation and decrypts it using the AEAD used to encrypt it (`main_key`), giving a
// handle to the recovered keyset.
let kh2 = tink_core::keyset::Handle::read(&mut mem_keyset, main_key)?;
assert_eq!(
insecure::keyset_material(&kh1),
insecure::keyset_material(&kh2)
);
println!("Key handles are equal.");
Ok(())
}
License
Disclaimer
This is not an officially supported Google product.