Encryption API for Rust SDK

PubNub Rust SDK provides built-in message encryption to secure your real-time communications. This documentation covers crypto module configuration and partial encryption methods using both legacy 128-bit and enhanced 256-bit AES-CBC encryption.

For general SDK configuration and initialization, refer to the Configuration page.

Configuration

CryptoModule

CryptoModule implements the CryptoProvider trait and provides encrypt/decrypt functionality for messages. From the 0.3.0 release on, you can configure how the actual encryption/decryption algorithms work.

Each PubNub SDK is bundled with two ways of encryption: the legacy encryption with 128-bit cipher key entropy and the recommended 256-bit AES-CBC encryption. For more general information on how encryption works, refer to Message Encryption.

The default constructors for the bundled crypto modules take the cipher_key (string used to encrypt/decrypt) and use_random_iv (boolean, whether or not to use a random initialization vector) parameters as arguments.

Legacy encryption with 128-bit cipher key entropy

You don't have to change your encryption configuration if you want to keep using the legacy encryption. If you want to use the recommended 256-bit AES-CBC encryption, you must explicitly set that in PubNub config.

SDK Initialization required

Before using encryption methods, ensure your PubNub client is properly configured with subscribe key and user ID. See the Configuration guide for setup instructions.

CryptoModule configuration

To configure the CryptoModule to encrypt all messages/files, you can use the following methods in the Rust SDK:

// encrypts using 256-bit AES-CBC cipher (recommended)
// decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers
let client = PubNubClientBuilder::with_transport(Transport)
    ...
    .with_cryptor(CryptoModule::new_aes_cbc_module("enigma", true)?)
    .build()?;

// encrypts with 128-bit cipher key entropy (legacy)
// decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers
let client = PubNubClientBuilder::with_transport(Transport)
    ...
    .with_cryptor(CryptoModule::new_legacy_module("enigma", true)?)
    .build()?;

Your client can decrypt content encrypted using either of the modules. This way, you can interact with historical messages or messages sent from older clients while encoding new messages using the more secure 256-bit AES-CBC cipher.

Older SDK versions

Apps built using the SDK versions lower than 0.3.0 will not be able to decrypt data encrypted using the 256-bit AES-CBC cipher. Make sure to update your clients or encrypt data using the legacy algorithm.

Partial encryption

For partial encryption of individual strings, you can create a crypto module instance and use it directly:

Sample code

Reference code

This example is a self-contained code snippet ready to be run. It includes necessary imports and executes methods with console logging. Use it as a reference when working with other examples in this document.

// partial encryption
// creates an instance
crypto_module = CryptoModule::new_aes_cbc_module("enigma", true)?;
// encrypts a string
let encrypt_result = crypto_module.encrypt(b"string to encrypt")?;
// decrypts a string
crypto_module.decrypt(encrypt_result)?;
Last updated on
On this page