9 releases (4 breaking)
Uses new Rust 2024
| 0.8.0 | May 6, 2026 |
|---|---|
| 0.7.0 | May 4, 2026 |
| 0.6.2 | May 4, 2026 |
| 0.6.0 | Apr 22, 2026 |
| 0.4.0 | Feb 3, 2026 |
#2319 in Cryptography
115 downloads per month
Used in 13 crates
(8 directly)
320KB
5K
SLoC
kmb-crypto: Cryptographic primitives for Kimberlite
This crate provides the cryptographic foundation for Kimberlite's
tamper-evident append-only log.
Modules
| Module | Purpose | Status |
|---|---|---|
chain |
Hash chains for tamper evidence (SHA-256) | ✅ Ready |
hash |
Dual-hash abstraction (SHA-256/BLAKE3) | ✅ Ready |
signature |
Ed25519 signatures for non-repudiation | ✅ Ready |
encryption |
AES-256-GCM encryption and key wrapping | ✅ Ready |
Quick Start
use kimberlite_crypto::{chain_hash, ChainHash, SigningKey, internal_hash, HashPurpose};
use kimberlite_crypto::{EncryptionKey, WrappedKey};
// Build a tamper-evident chain of records (SHA-256 for compliance)
let hash0 = chain_hash(None, b"genesis record");
let hash1 = chain_hash(Some(&hash0), b"second record");
// Fast internal hash (BLAKE3) for deduplication
let fingerprint = internal_hash(b"content to deduplicate");
// Sign records for non-repudiation
let signing_key = SigningKey::generate();
let signature = signing_key.sign(hash1.as_bytes());
// Verify the signature
let verifying_key = signing_key.verifying_key();
assert!(verifying_key.verify(hash1.as_bytes(), &signature).is_ok());
// Wrap a key for secure storage (key hierarchy)
let kek = EncryptionKey::generate();
let dek = EncryptionKey::generate();
let wrapped = WrappedKey::new(&kek, &dek.to_bytes());
let unwrapped = wrapped.unwrap_key(&kek).unwrap();
assert_eq!(dek.to_bytes(), unwrapped);
PRESSURECRAFT lints
This crate opts in to strict lints that encode PRESSURECRAFT rules:
no .unwrap() (use .expect("invariant: …")), no bare panic!,
no todo!/unimplemented! stubs, no functions longer than the
too-many-lines-threshold in clippy.toml. Test code is exempt.
Dependencies
~5–8MB
~163K SLoC