Rust AWS KMS客户端库rusoto_kms的使用,Rust加密密钥管理服务rusoto_kms支持安全密钥创建、轮换和使用

Rusoto KMS - AWS密钥管理服务的Rust SDK

要求

需要使用Rust稳定版或测试版。Nightly版本经过测试但不保证支持。可能支持旧版本。

在Linux上,如果使用native-tls功能需要OpenSSL。

安装

在Cargo.toml中添加依赖:

[dependencies]
rusoto_kms = "0.48.0"

功能特性

  • native-tls - 使用平台特定的TLS实现
  • rustls - 使用rustls TLS实现
  • serialize_structs - 输出结构体获得derive(Serialize)
  • deserialize_structs - 输入结构体获得derive(Deserialize)

默认使用native-tls TLS实现。

示例代码

以下是使用rusoto_kms管理密钥的完整示例:

use rusoto_core::Region;
use rusoto_kms::{Kms, KmsClient, CreateKeyRequest, ListKeysRequest, ScheduleKeyDeletionRequest};

#[tokio::main]
async fn main() {
    // 创建KMS客户端
    let client = KmsClient::new(Region::UsWest2);
    
    // 1. 创建新密钥
    let create_key_request = CreateKeyRequest {
        description: Some("My test key".to_string()),
        key_usage: Some("ENCRYPT_DECRYPT".to_string()),
        ..Default::default()
    };
    
    let create_key_response = client.create_key(create_key_request)
        .await
        .expect("Failed to create key");
    
    let key_id = create_key_response.key_metadata.unwrap().key_id.unwrap();
    println!("Created new key with ID: {}", key_id);
    
    // 2. 列出所有密钥
    let list_keys_request = ListKeysRequest {
        limit: Some(10),
        ..Default::default()
    };
    
    let list_keys_response = client.list_keys(list_keys_request)
        .await
        .expect("Failed to list keys");
    
    println!("Available keys:");
    for key in list_keys_response.keys.unwrap_or_default() {
        println!("- {}", key.key_id.unwrap());
    }
    
    // 3. 计划删除密钥
    let delete_request = ScheduleKeyDeletionRequest {
        key_id: key_id.clone(),
        pending_window_in_days: Some(7), // 7天后删除
        ..Default::default()
    };
    
    let delete_response = client.schedule_key_deletion(delete_request)
        .await
        .expect("Failed to schedule key deletion");
    
    println!(
        "Key {} scheduled for deletion on: {:?}",
        key_id,
        delete_response.deletion_date
    );
}

完整示例扩展

以下是在KMS中进行加密解密的完整示例:

use rusoto_core::Region;
use rusoto_kms::{Kms, KmsClient, EncryptRequest, DecryptRequest};
use base64::{encode, decode};

#[tokio::main]
async fn main() {
    let client = KmsClient::new(Region::UsEast1);
    
    // 加密数据
    let encrypt_request = EncryptRequest {
        key_id: "alias/my-key".to_string(),
        plaintext: "Hello KMS".as_bytes().to_vec(),
        ..Default::default()
    };
    
    let encrypt_response = client.encrypt(encrypt_request)
        .await
        .expect("Encryption failed");
    
    let ciphertext = encrypt_response.ciphertext_blob.unwrap();
    println!("Encrypted data (base64): {}", encode(&ciphertext));
    
    // 解密数据  
    let decrypt_request = DecryptRequest {
        ciphertext_blob: ciphertext,
        ..Default::default()
    };
    
    let decrypt_response = client.decrypt(decrypt_request)
        .await
        .expect("Decryption failed");
    
    let plaintext = String::from_utf8(decrypt_response.plaintext.unwrap())
        .expect("Invalid UTF-8");
    println!("Decrypted data: {}", plaintext);
}

贡献

参考Rusoto项目的贡献指南。

许可证

采用MIT许可证分发。


1 回复

Rust AWS KMS客户端库rusoto_kms的使用指南

概述

rusoto_kms是Rusoto项目的一部分,提供了与AWS Key Management Service (KMS)交互的Rust客户端库。它允许开发者在Rust应用程序中安全地创建、管理和使用加密密钥。

主要功能

  • 创建和管理加密密钥(CMKs)
  • 密钥轮换管理
  • 数据加密和解密
  • 生成数据密钥
  • 签名和验证操作

安装

在Cargo.toml中添加依赖:

[dependencies]
rusoto_core = "0.48"
rusoto_kms = "0.48"
tokio = { version = "1", features = ["full"] }

基本使用方法

1. 创建KMS客户端

use rusoto_core::Region;
use rusoto_kms::{Kms, KmsClient};

#[tokio::main]
async fn main() {
    let client = KmsClient::new(Region::UsWest2);
}

2. 创建新密钥

use rusoto_kms::{CreateKeyRequest, Kms};

async fn create_key(client: &KmsClient) {
    let request = CreateKeyRequest {
        description: Some("My encryption key".to_string()),
        key_usage: Some("ENCRYPT_DECRYPT".to_string()),
        ..Default::default()
    };

    match client.create_key(request).await {
        Ok(output) => {
            println!("Created key with ARN: {:?}", output.key_metadata.unwrap().arn);
        }
        Err(e) => println!("Error creating key: {}", e),
    }
}

3. 加密数据

use rusoto_kms::{EncryptRequest, Kms};
use base64;

async fn encrypt_data(client: &KmsClient, key_id: &str, plaintext: &str) {
    let request = EncryptRequest {
        key_id: key_id.to_string(),
        plaintext: plaintext.as_bytes().to_vec(),
        ..Default::default()
    };

    match client.encrypt(request).await {
        Ok(output) => {
            let ciphertext = base64::encode(output.ciphertext_blob.unwrap());
            println!("Encrypted data: {}", ciphertext);
        }
        Err(e) => println!("Error encrypting data: {}", e),
    }
}

4. 解密数据

use rusoto_kms::{DecryptRequest, Kms};
use base64;

async fn decrypt_data(client: &KmsClient, ciphertext: &str) {
    let ciphertext_blob = base64::decode(ciphertext).unwrap();
    
    let request = DecryptRequest {
        ciphertext_blob,
        ..Default::default()
    };

    match client.decrypt(request).await {
        Ok(output) => {
            let plaintext = String::from_utf8(output.plaintext unwrap()).unwrap();
            println!("Decrypted data: {}", plaintext);
        }
        Err(e) => println!("Error decrypting data: {}", e),
    }
}

5. 生成数据密钥

use rusoto_kms::{GenerateDataKeyRequest, Kms};
use base64;

async fn generate_data_key(client: &KmsClient, key_id: &str) {
    let request = GenerateDataKeyRequest {
        key_id: key_id.to_string(),
        key_spec: Some("AES_256".to_string()),
        ..Default::default()
    };

    match client.generate_data_key(request).await {
        Ok(output) => {
            let plaintext_key = base64::encode(output.plaintext.unwrap());
            let encrypted_key = base64::encode(output.ciphertext_blob.unwrap());
            println!("Plaintext key: {}", plaintext_key);
            println!("Encrypted key: {}", encrypted_key);
        }
        Err(e) => println!("Error generating data key: {}", e),
    }
}

6. 启用密钥轮换

use rusoto_kms::{EnableKeyRotationRequest, Kms};

async fn enable_key_rotation(client: &KmsClient, key_id: &str) {
    let request = EnableKey RotationRequest {
        key_id: key_id.to_string(),
    };

    match client.enable_key_rotation(request).await {
        Ok(_) => println!("Enabled key rotation for {}", key_id),
        Err(e) => println!("Error enabling key rotation: {}", e),
    }
}

最佳实践

  1. 密钥管理:避免硬编码密钥ID,使用环境变量或配置管理系统
  2. 错误处理:妥善处理所有可能的错误,特别是加密/解密操作
  3. 权限控制:遵循最小权限原则,只授予必要的KMS权限
  4. 密钥轮换:对长期使用的密钥启用自动轮换
  5. 性能考虑:KMS操作有延迟,考虑在应用启动时预先生成所需密钥

完整示例

use rusoto_core::Region;
use rusoto_kms::{Kms, KmsClient, CreateKeyRequest, EncryptRequest, DecryptRequest};
use base64;

#[tokio::main]
async fn main() {
    // 创建KMS客户端
    let client = KmsClient::new(Region::UsWest2);
    
    // 创建新密钥
    let key_arn = match create_key(&client).await {
        Some(arn) => arn,
        None => return,
    };
    
    // 加密数据
    let plaintext = "Sensitive data to encrypt";
    let ciphertext = match encrypt_data(&client, &key_arn, plaintext).await {
        Some(ct) => ct,
        None => return,
    };
    
    println!("Encrypted data stored as: {}", ciphertext);
    
    // 解密数据
    let decrypted = decrypt_data(&client, &ciphertext).await;
    println!("Decrypted data: {}", decrypted.unwrap_or("Failed".to_string()));
}

// 创建密钥函数
async fn create_key(client: &KmsClient) -> Option<String> {
    let request = CreateKeyRequest {
        description: Some("Example key".to_string()),
        ..Default::default()
    };
    
    client.create_key(request).await.ok()
        .and_then(|output| output.key_metadata)
        .map(|meta| meta.arn.unwrap())
}

// 加密数据函数
async fn encrypt_data(client: &KmsClient, key_id: &str, plaintext: &str) -> Option<String> {
    let request = EncryptRequest {
        key_id: key_id.to_string(),
        plaintext: plaintext.as_bytes().to_vec(),
        ..Default::default()
    };
    
    client.encrypt(request).await.ok()
        .and_then(|output| output.ciphertext_blob)
        .map(|blob| base64::encode(blob))
}

// 解密数据函数
async fn decrypt_data(client: &KmsClient, ciphertext: &str) -> Option<String> {
    let ciphertext_blob = base64::decode(ciphertext).ok()?;
    
    let request = DecryptRequest {
        ciphertext_blob,
        ..Default::default()
    };
    
    client.decrypt(request).await.ok()
        .and_then(|output| output.plaintext)
        .and_then(|plaintext| String::from_utf8(plaintext).ok())
}

rusoto_kms为Rust开发者提供了强大的AWS KMS集成能力,使得在应用程序中实现企业级密钥管理变得简单可靠。

回到顶部