trelent-hyok
| Crates.io | trelent-hyok |
| lib.rs | trelent-hyok |
| version | 0.1.12 |
| created_at | 2025-03-19 11:30:32.11294+00 |
| updated_at | 2025-03-19 11:30:32.11294+00 |
| description | A Rust library implementing Hold Your Own Key (HYOK) encryption patterns with support for multiple cloud providers |
| homepage | |
| repository | https://github.com/trelent/hyokashi |
| max_upload_size | |
| id | 1597916 |
| size | 1,364,308 |
Wyatt Stagg (Coolroo)
documentation
https://docs.rs/trelent-hyok
README
Hyokashi
Hyokashi is a Rust library that implements Hold Your Own Key (HYOK) encryption patterns, supporting multiple cloud providers and custom implementations. It provides a flexible and secure way to manage data encryption keys (DEKs) while maintaining control over your encryption strategy.
Features
- 🔐 Multiple Cloud Provider Support
- AWS KMS & Secrets Manager
- Azure Key Vault
- Custom implementation support
- 🚀 Flexible encryption strategies
- 📦 Built-in caching support
- ⚡ Async/await support
- 🛠️ Customizable key generation
Installation
Add this to your Cargo.toml:
[dependencies]
hyokashi = "0.1.0"
To enable cloud provider support, use feature flags:
[dependencies]
hyokashi = { version = "0.1.0", features = ["aws", "azure"] }
Usage
AWS Example
use hyokashi::HYOKServiceBuilder;
use hyokashi::encryption::aes_gcm::{AesGcm256Strategy, AesGcmEncryptionData};
async fn encrypt_with_aws() {
let config = aws_config::load_defaults(BehaviorVersion::latest()).await;
let builder = HYOKServiceBuilder::new()
.with_aws_cmk(
aws_sdk_kms::Client::new(&config),
"your-key-name",
EncryptionAlgorithmSpec::RsaesOaepSha256
)
.with_aws_persistence(aws_sdk_secretsmanager::Client::new(&config))
.with_moka_cache(10000, Duration::from_secs(60), Duration::from_secs(300))
.with_fixed_length_generator(32);
let hyok_service = builder.build(AesGcm256Strategy).unwrap();
// Encrypt data
let encryption_data = AesGcmEncryptionData {
aad: [1; 16],
nonce: hyokashi::encryption::aes_gcm::generate_nonce().unwrap()
};
let held_value = hyok_service
.hold_value(data, "my-scope".to_string(), encryption_data)
.await?;
}
Azure Example
use hyokashi::HYOKServiceBuilder;
use azure_security_keyvault::prelude::*;
async fn encrypt_with_azure() {
let creds = azure_identity::create_specific_credential().unwrap();
let keyvault_client = KeyvaultClient::new("your-keyvault-url", creds).unwrap();
let builder = HYOKServiceBuilder::new()
.with_azure_cmk(
"your-key-name",
CryptographParamtersEncryption::Rsa(RsaEncryptionParameters {
algorithm: EncryptionAlgorithm::RsaOaep256,
}),
keyvault_client.clone()
)
.with_azure_persistence(keyvault_client)
.with_moka_cache(10000, Duration::from_secs(60), Duration::from_secs(300))
.with_fixed_length_generator(32);
let hyok_service = builder.build(AesGcm256Strategy).unwrap();
}
Custom Implementation
The library supports custom implementations for all components:
let hyok_service = HYOKServiceBuilder::new()
.with_fixed_length_generator(32)
.with_custom_cache(get_fn, set_fn)
.with_custom_cmk(encrypt_fn, decrypt_fn)
.with_custom_persistence(persist_fn, fetch_fn)
.build(your_custom_strategy)
.unwrap();
Configuration
Key Generation Options
- Fixed Length Generator: Generate keys of a specific length
- Custom Generator: Implement your own key generation logic
Caching Options
- Built-in Moka cache support
- Custom cache implementation support
Encryption Strategies
- AES-GCM 256
- Custom encryption strategy support
License
This project is licensed under the MIT License - see the LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.