Skip to content
/ Coverium Public

Rust tabanlı, alan-bazlı şifreleme + kör indeks + deterministik eşitlik sorguları + anahtar rotasyonu (envelope encryption) + KMS entegrmanları sağlayan bir crate. Uygulama ile DB arasına minimum sürtünme ile girer

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Tuntii/Coverium

BranchesTags

Repository files navigation

SifreDB

A Rust library for field-level encryption with envelope encryption and blind indexes.

Crates.io Documentation License

Features

  • 🔐 AEAD Encryption: ChaCha20-Poly1305 and AES-GCM support
  • 🔍 Blind Indexes: Searchable encryption without revealing plaintext
  • 🔑 Envelope Encryption: KEK/DEK separation for key management
  • 🔄 Key Rotation: Built-in support for rotating encryption keys
  • 🏢 Multi-tenant Isolation: Secure data isolation per tenant
  • 🛡️ Deterministic Encryption: Enables equality queries on encrypted data
  • 🚀 Zero-copy Operations: Efficient memory usage
  • 🔒 Memory Safety: Automatic zeroing of sensitive data

Installation

Add this to your Cargo.toml:

[dependencies]
sifredb = "0.1"

Quick Start

use sifredb::prelude::*;

// Create a key provider
let provider = FileKeyProvider::new("./keys")?;
let vault = Vault::new(provider, CipherMode::default());

// Define encryption context
let context = EncryptionContext::new("users", "email")
    .with_tenant("tenant_123");

// Encrypt
let ciphertext = vault.encrypt(b"alice@example.com", &context)?;

// Decrypt
let plaintext = vault.decrypt(&ciphertext, &context)?;

Advanced Usage

Blind Indexes for Searchable Encryption

use sifredb::prelude::*;

let vault = Vault::new(provider, CipherMode::default());
let context = EncryptionContext::new("users", "email");

// Create blind index for searching
let email = b"alice@example.com";
let ciphertext = vault.encrypt(email, &context)?;
let blind_index = vault.create_blind_index(email, &context)?;

// Store both ciphertext and blind_index in your database
// Later, search using the blind index without decrypting
let search_index = vault.create_blind_index(b"alice@example.com", &context)?;
// Compare: search_index == blind_index

Deterministic Encryption

use sifredb::prelude::*;

let vault = Vault::new(provider, CipherMode::Deterministic);
let context = EncryptionContext::new("users", "ssn");

// Same input always produces same ciphertext
let ciphertext1 = vault.encrypt(b"123-45-6789", &context)?;
let ciphertext2 = vault.encrypt(b"123-45-6789", &context)?;
assert_eq!(ciphertext1, ciphertext2); // Enables equality queries

Key Rotation

use sifredb::prelude::*;

// Rotate to a new key version
let new_context = context.with_key_version(2);
let old_ciphertext = vault.encrypt(data, &context)?;

// Decrypt with old key, re-encrypt with new key
let plaintext = vault.decrypt(&old_ciphertext, &context)?;
let new_ciphertext = vault.encrypt(&plaintext, &new_context)?;

Multi-tenant Support

use sifredb::prelude::*;

// Tenant A
let context_a = EncryptionContext::new("users", "email")
    .with_tenant("tenant_a");
let cipher_a = vault.encrypt(b"alice@tenant-a.com", &context_a)?;

// Tenant B (isolated encryption)
let context_b = EncryptionContext::new("users", "email")
    .with_tenant("tenant_b");
let cipher_b = vault.encrypt(b"bob@tenant-b.com", &context_b)?;

Key Providers

File-based Provider

use sifredb_key_file::FileKeyProvider;

let provider = FileKeyProvider::new("./keys")?;

AWS KMS Provider

use sifredb_kms_aws::AwsKmsProvider;

let provider = AwsKmsProvider::new("arn:aws:kms:...").await?;

Custom Provider

Implement the KeyProvider trait for your own key management:

use sifredb::key_provider::KeyProvider;

struct MyCustomProvider;

impl KeyProvider for MyCustomProvider {
    fn get_kek(&self, context: &EncryptionContext) -> Result<Vec<u8>> {
        // Your key retrieval logic
    }
}

Security Considerations

  • Key Management: Use a secure key management system (KMS) in production
  • Context Binding: Always use appropriate encryption contexts
  • Memory Safety: Sensitive data is automatically zeroed on drop
  • Key Rotation: Implement regular key rotation policies
  • Audit Logging: Log all encryption/decryption operations

Architecture

SifreDB uses envelope encryption:

  1. KEK (Key Encryption Key): Master key from KMS
  2. DEK (Data Encryption Key): Generated per encryption operation
  3. Encrypted Data: Payload encrypted with DEK
  4. Encrypted DEK: DEK encrypted with KEK

This architecture enables:

  • Efficient key rotation
  • Secure key storage
  • Fast decryption operations

Crates in this Workspace

  • sifredb: Core encryption library
  • sifredb-derive: Derive macros for automatic encryption
  • sifredb-cli: Command-line tool for key management
  • sifredb-key-file: File-based key provider
  • sifredb-kms-aws: AWS KMS integration

Examples

See the examples directory for more use cases:

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

Licensed under either of:

at your option.

Status

🚧 This project is under active development. APIs may change before 1.0 release.

Acknowledgments

Built with modern Rust cryptography libraries including chacha20poly1305, aes-gcm, and hkdf.

About

Rust tabanlı, alan-bazlı şifreleme + kör indeks + deterministik eşitlik sorguları + anahtar rotasyonu (envelope encryption) + KMS entegrmanları sağlayan bir crate. Uygulama ile DB arasına minimum sürtünme ile girer

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages