---
source_url: https://www.pubnub.com/docs/sdks/rust/api-reference/encryption
title: Encryption API for Rust SDK
updated_at: 2026-05-20T11:08:14.624Z
sdk_name: PubNub Rust SDK
sdk_version: 0.7.0
---

> Documentation Index
> For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt
> For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt


# Encryption API for Rust SDK

PubNub Rust SDK, use the latest version: 0.7.0

Install:

```bash
cargo add pubnub@0.7.0
```

PubNub Rust SDK includes message encryption. This page shows how to set up the crypto module and perform partial encryption. The SDK supports 128-bit Advanced Encryption Standard (AES) and 256-bit AES in Cipher Block Chaining (CBC) mode.

For general SDK configuration and initialization, refer to the [Configuration](https://www.pubnub.com/docs/sdks/rust/api-reference/configuration) page.

## Configuration

### CryptoModule

CryptoModule implements the CryptoProvider trait and provides encrypt/decrypt functionality for messages. From the 0.3.0 onward, you can configure the algorithms it uses.

Each PubNub SDK is bundled with two ways of encryption: the legacy encryption with 128-bit cipher key entropy and the recommended 256-bit AES-CBC encryption. For more general information on how encryption works, refer to [Message Encryption](https://www.pubnub.com/docs/general/setup/data-security#message-encryption).

The default constructors for the bundled crypto modules take the cipher_key (string used to encrypt/decrypt) and use_random_iv (boolean, whether or not to use a random initialization vector) parameters as arguments.

:::note Legacy encryption with 128-bit cipher key entropy
You don't have to change your encryption configuration if you want to keep using the legacy encryption. If you want to use the recommended 256-bit AES-CBC encryption, you must explicitly set that in PubNub config.
:::

:::note SDK initialization required
Before you use encryption methods, ensure your PubNub client is configured with a subscribe key and a user ID. See the [Configuration guide](https://www.pubnub.com/docs/sdks/rust/api-reference/configuration#initialization) for setup instructions.
:::

#### CryptoModule configuration

To configure the CryptoModule to encrypt all messages/files, you can use the following methods in the Rust SDK:

```rust
// encrypts using 256-bit AES-CBC cipher (recommended)
// decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers
let client = PubNubClientBuilder::with_transport(Transport)
    ...
    .with_cryptor(CryptoModule::new_aes_cbc_module("enigma", true)?)
    .build()?;

// encrypts with 128-bit cipher key entropy (legacy)
// decrypts data encrypted with the legacy and the 256-bit AES-CBC ciphers
let client = PubNubClientBuilder::with_transport(Transport)
    ...
    .with_cryptor(CryptoModule::new_legacy_module("enigma", true)?)
    .build()?;
```

The client can decrypt content from either module. You can read historical messages and messages from older clients, and you can encrypt new messages with 256-bit AES-CBC.

:::warning Older SDK versions
Apps built using the SDK versions lower than 0.3.0 will **not** be able to decrypt data encrypted using the 256-bit AES-CBC cipher. Make sure to update your clients or encrypt data using the legacy algorithm.
:::

### Partial encryption

For partial encryption of individual strings, you can create a crypto module instance and use it directly:

#### Sample code

:::tip Reference code
This example is a self-contained code snippet ready to be run. It includes necessary imports and executes methods with console logging. Use it as a reference when working with other examples in this document.
:::

```rust
// partial encryption
// creates an instance
crypto_module = CryptoModule::new_aes_cbc_module("enigma", true)?;
// encrypts a string
let encrypt_result = crypto_module.encrypt(b"string to encrypt")?;
// decrypts a string
crypto_module.decrypt(encrypt_result)?;
```

## Terms in this document

* **Subscribe Key** - A unique identifier that allows your application to receive messages from PubNub channels. It's part of your app's credentials and should be kept secure.
* **User** - An individual or entity that interacts with a system, application, or service. In PubNub, a user typically refers to someone who sends or receives messages through the platform, identified by a unique user ID or username.
* **User ID** - UTF-8 encoded, unique string of up to 92 characters used to identify a single client (end user, device, or server) that connects to PubNub.