MailKite.Crypto (MailKite v0.13.0)

Copy Markdown View Source

At-rest encryption, byte-compatible with MailKite's WebCrypto envelope and every other MailKite SDK, so a value encrypted in one language decrypts in another.

A hybrid scheme: a fresh AES-256-GCM content key encrypts the data and is then wrapped with RSA-OAEP (SHA-256). The serialized envelope is a compact JSON string with base64 fields {v, keyAlg:"RSA-OAEP-256", fp, enc:"A256GCM", iv, wrappedKey, ciphertext}, where fp is the lowercase hex SHA-256 of the SPKI DER. Local only.

Summary

Functions

Decrypt a MailKite at-rest envelope (JSON string) with an RSA private key (PKCS#8 PEM), returning {:ok, plaintext} or {:error, reason}.

Encrypt a UTF-8 plaintext to an RSA public key (SPKI PEM), returning the at-rest envelope serialized as a compact JSON string.

Functions

decrypt(envelope_json, private_key_pem)

@spec decrypt(String.t(), String.t()) :: {:ok, String.t()} | {:error, term()}

Decrypt a MailKite at-rest envelope (JSON string) with an RSA private key (PKCS#8 PEM), returning {:ok, plaintext} or {:error, reason}.

encrypt(plaintext, public_key_pem)

@spec encrypt(String.t(), String.t()) :: String.t()

Encrypt a UTF-8 plaintext to an RSA public key (SPKI PEM), returning the at-rest envelope serialized as a compact JSON string.