Encryption and decryption using Secret Keeper
cargo install encrypt-rs
```sh # Encrypt file $ encrypt enc -o OUT [ -k KEEPER ] [ -c CIPHER ] FILE
# Decrypt file $ encrypt dec -o OUT [ -k KEEPER ] [ -c CIPHER ] FILE
# View key envelope $ encrypt key view [ -k KEEPER ] FILE ```
-k KEEPER options: (default: 'env:')
- env: (EnvKeeper)
- env: - passphrase for deriving key is in environment var VAULT_PASSWORD.
- env:VARNAME - passphrase for deriving key is in environment variable VARNAME
# example:
export PASSWORD="my-super-secret-passphrase"
encrypt enc -o FILE.enc -k env:PASSWORD FILE
- prompt: (PromptKeeper)
- user will be prompted on terminal for passphrase for deriving key
- hashivault: (HashivaultKeeper)
- key-encrypting-key is on hashivault transit server. See
hashivault keeper doc for url syntax
# example:
encrypt enc -o FILE.enc -k hashivault://my_key FILE
- cloudkms: (CloudKMSKeeper)
# example:
encrypt enc -o FILE.enc -k cloudkms:/PROJ/global/my_keyring/my_key FILE
-c CIPHER options:
Default cipher is LZ4XChaCha20Poly1305, which combines LZ4
compression with XChaCha20-Poly1305. (Cipher algorithm
implemented by
RustCrypto
- XChaCha20Poly1305 (aliases: xchacha20, xchacha20poly1305)
- LZ4XChaCha20Poly1305 (aliases: lz4, lz4xchacha20, lz4xchacha20poly1305)
- AesGcm256 (aliases: aes, aesgcm, aesgcm256)
There are some additional usage examples in the test* shell scripts.
File nonces and keys are generated with the platform's OS CSRNG, using the rand crate.