-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig_with_external_data.rs
48 lines (40 loc) · 1.6 KB
/
config_with_external_data.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
//! This example demonstrates how to use a configuration that depends on external data.
use encrypted_message::{
EncryptedMessage,
strategy::Randomized,
config::{Config, Secret, ExposeSecret as _},
};
use pbkdf2::pbkdf2_hmac_array;
use sha2::Sha256;
/// NOTE: When depending on human-provided keys/passwords, ensure you derive them
/// using a key derivation function (KDF). Using a human-provided key directly is not secure as they're likely to be weak.
///
/// You should also use the `secrecy` crate in cases like these, to ensure safe key handling.
#[derive(Debug)]
struct UserEncryptionConfig {
user_password: Secret<String>,
salt: Secret<String>,
}
impl Config for UserEncryptionConfig {
type Strategy = Randomized;
fn keys(&self) -> Vec<Secret<[u8; 32]>> {
let raw_key = self.user_password.expose_secret().as_bytes();
let salt = self.salt.expose_secret().as_bytes();
let derived_key = pbkdf2_hmac_array::<Sha256, 32>(raw_key, salt, 2_u32.pow(16)).into();
vec![derived_key]
}
}
fn main() {
let config = UserEncryptionConfig {
user_password: "human-password-that-should-be-derived".to_string().into(),
salt: "unique-salt".to_string().into(),
};
// Encrypt a user's diary.
let diary: EncryptedMessage::<String, UserEncryptionConfig> = {
EncryptedMessage::encrypt_with_config("Very personal stuff".to_string(), &config).unwrap()
};
println!("Encrypted diary: {diary:#?}");
// Decrypt the user's diary.
let decrypted = diary.decrypt_with_config(&config).unwrap();
println!("Decrypted diary: {decrypted}");
}