Module encryption

Enums§

BlobEncryptionError: Errors produced while sealing or unsealing a blob-format cipher.

decrypt_blob_cipher 🔒: Decrypts a pre-parsed blob-encrypted Cipher into a CipherView. Callers should obtain the SealedCipherBlob via try_parse_blob.
encrypt_blob_cipher 🔒: Encrypts a CipherView into a blob-encrypted Cipher.
encrypt_blob_cipher_with_wrapping_key 🔒: Variant of encrypt_blob_cipher that accepts an explicit outer wrapping key. Used by key rotation, where the new user/org key is installed under a Local slot id and view.key has been rewrapped under that slot — calling key_identifier() would resolve to the original User/Organization slot and fail to unwrap the CEK.
seal_blob_content 🔒: Seals a constructed CipherBlobLatest under cipher_key, returning the opaque string form. Shared by all CipherBlobLatest producers so they don’t each re-implement the versioned-enum wrap + COSE seal + base64 chain.
seal_cipher 🔒: Seals a CipherView into an opaque blob string, using wrapping_key as the outer key that protects the cipher’s wrapped CEK.
try_parse_blob 🔒: Returns the parsed SealedCipherBlob if cipher.data holds one. Returns None for legacy ciphers (missing or unparseable data).