Module encryption

Expand description

Encryption at rest for filesystem storage (CRIT-005).

Provides AES-256-GCM authenticated encryption for memory files. Encryption is opt-in via the encryption feature flag and requires setting the SUBCOG_ENCRYPTION_KEY environment variable.

§Security Properties

Algorithm: AES-256-GCM (authenticated encryption)
Key: 32 bytes (256 bits) from base64-encoded env var
Nonce: 12 bytes, randomly generated per encryption
Format: SUBCOG_ENC_V1 magic + nonce + ciphertext + auth tag

§Usage

# Generate a key (32 random bytes, base64 encoded)
openssl rand -base64 32

# Set the environment variable
export SUBCOG_ENCRYPTION_KEY="your-base64-encoded-key"

§Example

use subcog::security::encryption::{Encryptor, EncryptionConfig};

let config = EncryptionConfig::from_env()?;
let encryptor = Encryptor::new(config)?;

let plaintext = b"sensitive data";
let encrypted = encryptor.encrypt(plaintext)?;
let decrypted = encryptor.decrypt(&encrypted)?;
assert_eq!(plaintext, &decrypted[..]);

Modules§

implementation 🔒

Structs§

EncryptionConfig: Encryption configuration.
Encryptor: AES-256-GCM encryptor.

Constants§

MAGIC_HEADER: Magic bytes to identify encrypted files. Format: SUBCOG_ENC_V1\0 (14 bytes)

Functions§

is_encrypted: Checks if data appears to be encrypted (has magic header).

Module encryption

Module encryption Copy item path

§Security Properties

§Usage

§Example

Modules§

Structs§

Constants§

Functions§

Module encryption