| .. | ||
| examples | ||
| src | ||
| Cargo.toml | ||
| README.md | ||
Encrypt - Multi-Backend Encryption
A unified encryption framework supporting multiple cloud and on-premises secret management providers.
Overview
Encrypt provides a unified API for secret management and encryption across different backends:
- 🔐 SOPS - Secrets Operations with multi-KMS support (AWS, GCP, Azure)
- 🔑 RustyVault - HashiCorp Vault alternative
- ☁️ AWS KMS - Amazon Key Management Service
- 🌐 GCP KMS - Google Cloud Key Management
- 💎 Azure Key Vault - Microsoft Azure secret management
Features
- 🔄 Unified API - Same interface for all backends
- 🎯 Backend Detection - Auto-detect available backends
- 🔍 Secret Detection - Pattern-based secret detection (7 default patterns)
- ⚠️ False Positive Filtering - Intelligent filtering of detected "secrets"
- 🔧 Flexible Configuration - Extensive configuration options
- 🚀 Async Support - Built for modern async Rust
Supported Backends
SOPS (Secrets Operations)
Multi-KMS support with git-friendly encrypted YAML/JSON/TOML files
use encrypt::config::{EncryptionConfig, BackendType, SopsConfig};
let sops = SopsConfig {
kms_provider: "aws".to_string(),
gcp_project: None,
pgp_fingerprints: vec![],
..Default::default()
};
RustyVault
HashiCorp Vault-compatible secret management
use encrypt::config::RustyVaultConfig;
let vault = RustyVaultConfig {
vault_addr: "https://vault.example.com".to_string(),
namespace: Some("myapp".to_string()),
..Default::default()
};
AWS KMS
Amazon Key Management Service for secrets
use encrypt::config::AwsKmsConfig;
let aws = AwsKmsConfig {
region: "us-east-1".to_string(),
key_id: "arn:aws:kms:us-east-1:123456789012:key/12345678".to_string(),
..Default::default()
};
GCP KMS
Google Cloud Key Management Service
use encrypt::config::GcpKmsConfig;
let gcp = GcpKmsConfig {
project_id: "my-project".to_string(),
key_ring: "myapp-keys".to_string(),
crypto_key: "default".to_string(),
..Default::default()
};
Azure Key Vault
Microsoft Azure secret management
use encrypt::config::AzureKmsConfig;
let azure = AzureKmsConfig {
vault_name: "myapp-vault".to_string(),
tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".to_string(),
..Default::default()
};
Quick Start
use encrypt::config::EncryptionConfig;
// Create configuration
let config = EncryptionConfig {
backends: vec![/* backend configs */],
default_backend: "sops".to_string(),
auto_detect: true,
..Default::default()
};
// Use encryption backend
let backend = config.get_default_backend()?;
backend.encrypt(secret_data)?;
backend.decrypt(encrypted_data)?;
Secret Detection
Detect secrets in code or configuration:
use encrypt::detect::detect_secrets;
let patterns = detect_secrets(code_content);
for detected in patterns {
println!("Found: {} with confidence: {}",
detected.name, detected.confidence);
}
Default Patterns
- AWS Access Keys (
AKIA[0-9A-Z]{16}) - AWS Secret Keys
- GitHub Tokens (
gh[pousr]{1}_...) - Vault Tokens (
hvs.*) - Private Keys (RSA, DSA, OpenSSH, EC)
- API Keys
- Database Passwords
Architecture
error.rs- Error types for encryption operationsconfig.rs- Configuration for backendsbackend/mod.rs- Backend trait definitionbackend/sops.rs- SOPS implementationbackend/rustyvault.rs- RustyVault implementationbackend/kms.rs- AWS/GCP/Azure KMS implementationsdetect.rs- Secret pattern detection
Use Cases
Secret Management
Centralized secrets across environments
Compliance
Encrypt sensitive data to meet regulatory requirements
DevOps
Automate secret rotation and management
Security
Prevent accidental secret exposure
Multi-Cloud
Work consistently across AWS, GCP, Azure
Configuration Files
SOPS Example
# .sops.yaml
creation_rules:
- path_regex: secrets/.*
kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678'
age: age1xxx...
Vault Example
[vault]
address = "https://vault.example.com"
token = "hvs.xxx..."
namespace = "myapp"
Testing
Run tests with:
cargo test --lib
All 27 tests pass with full coverage of:
- Configuration management
- All 5 backend implementations
- Secret detection with filtering
- Error handling
Performance
- Fast secret detection
- Minimal overhead
- Supports large files
- Efficient pattern matching
API Documentation
Full API documentation available with:
cargo doc --open
Integration
Encrypt can be integrated with:
- CI/CD systems for secret management
- Configuration management systems
- Deployment automation (provctl, provisioning)
- Secret scanning tools
- Compliance automation
Security Considerations
- ✅ Never log secrets
- ✅ Use secure credential storage
- ✅ Rotate credentials regularly
- ✅ Use TLS for backend communication
- ✅ Principle of least privilege for access
License
Same as prov-ecosystem parent project
Contributing
Contributions welcome! See parent project guidelines.
See Also
- prov-ecosystem README - Parent project overview
- valida - Validation rules engine
- runtime - Container runtime abstraction
- init-servs - Init system abstraction