Add SecretKey for typed symmetric encryption#382
Merged
Sébastien Duquette (sduquette-devolutions) merged 7 commits intoMay 12, 2026
Conversation
Add a wrapped SecretKey type analogous to PrivateKey/PublicKey. `Ciphertext::encrypt_with_secret_key` and `Ciphertext::decrypt_with_secret_key` take the key as a SecretKey instead of raw bytes. Methods encrypt_with_raw_key and decrypt_with_raw_key were defined, encrypt/decrypt call these methods.
Sébastien Duquette (sduquette-devolutions)
changed the title
Sébastien Duquette (sduquette-devolutions)
marked this pull request as ready for review
Copilot started reviewing on behalf of
Sébastien Duquette (sduquette-devolutions)
May 11, 2026 14:11
View session
There was a problem hiding this comment.
Pull request overview
This PR introduces a typed SecretKey wrapper for symmetric encryption (analogous to existing wrapped key types) and threads it through the Rust core API and multiple language wrappers (WASM/JS, UniFFI, Python, C FFI, and C#), along with tests and demo updates.
Changes:
- Added Rust
key::SecretKey(KeySubtype::Secret) with generation, serialization, and parsing support. - Added typed symmetric encryption/decryption APIs that accept
&SecretKey, plus wrapper exports across WASM/UniFFI/Python/FFI/C#. - Added new/updated tests (Rust + conformity + Python + C# + WASM) and an Angular demo page for SecretKey encryption.
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| wrappers/wasm/wasm_build.ps1 | New PowerShell build helper for wasm-pack targets and renames the web package in dist. |
| wrappers/wasm/tests/tests/symmetric.ts | Adds JS/WASM tests for encrypt/decrypt using SecretKey (with and without AAD). |
| wrappers/wasm/demo/src/app/service/encryption.inner.service.ts | Re-exports SecretKey and adds helper functions for SecretKey operations in the demo service layer. |
| wrappers/wasm/demo/src/app/secret-key-encryption/secret-key-encryption.component.ts | New Angular component demonstrating SecretKey generation + encrypt/decrypt flows. |
| wrappers/wasm/demo/src/app/secret-key-encryption/secret-key-encryption.component.html | Template for the new demo page UI. |
| wrappers/wasm/demo/src/app/app.routes.ts | Adds route for the SecretKey encryption demo page. |
| wrappers/wasm/demo/src/app/app.component.html | Adds navigation link to the new SecretKey encryption demo page. |
| wrappers/wasm/demo/package.json | Switches demo to consume the locally built ../dist/web package. |
| wrappers/wasm/demo/package-lock.json | Updates lockfile for the local ../dist/web dependency. |
| wrappers/python/tests/symmetric.py | Adds Python tests for SecretKey encrypt/decrypt (with and without AAD). |
| wrappers/csharp/tests/unit-tests/TestManaged.cs | Adds C# unit tests for SecretKey generation, encrypt/decrypt, AAD handling, and round-trip serialization. |
| wrappers/csharp/tests/unit-tests/Conformity.cs | Adds a conformity test vector for decrypting V2 ciphertext with a wrapped SecretKey. |
| wrappers/csharp/src/SecretKey.cs | Introduces a C# SecretKey wrapper type for serialized secret-key blobs. |
| wrappers/csharp/src/Native.Core.cs | Adds P/Invoke bindings for GenerateSecretKey and GenerateSecretKeySize. |
| wrappers/csharp/src/Managed.cs | Adds SecretKey generation and encrypt/decrypt overloads taking SecretKey. |
| uniffi/devolutions-crypto-uniffi/src/key.rs | Exposes SecretKey generation via UniFFI (serialized bytes). |
| uniffi/devolutions-crypto-uniffi/src/ciphertext.rs | Exposes encrypt/decrypt helpers that accept serialized SecretKey bytes (and AAD variants). |
| tests/conformity.rs | Adds Rust-level conformity test vector for decrypting with a wrapped SecretKey. |
| src/wasm.rs | Exposes SecretKey as a wasm-bindgen class plus typed encrypt/decrypt bindings. |
| src/secret_sharing/mod.rs | Doc text cleanup (“split” vs “splitted”). |
| src/lib.rs | Updates crate docs to reflect SecretKey support and adjusts exports. |
| src/key/secret_key_v1.rs | Implements SecretKey V1 payload (32 random bytes, zeroized). |
| src/key/mod.rs | Adds SecretKey wrapper type, generation, serialization/deserialization, and tests. |
| src/enums.rs | Adds KeySubtype::Secret = 4. |
| src/ciphertext/mod.rs | Adds *_with_raw_key helpers, plus typed SecretKey encrypt/decrypt wrappers and tests. |
| README_RUST.md | Removes/updates badges in Rust README. |
| python/src/lib.rs | Adds Python bindings for generate_secret_key, encrypt_with_secret_key, decrypt_with_secret_key. |
| python/devolutions_crypto.pyi | Adds Python type stubs/docs for new SecretKey functions. |
| ffi/src/lib.rs | Adds C ABI GenerateSecretKey + size function and a unit test. |
| ffi/devolutions-crypto.h | Adds C header declarations for SecretKey generation functions. |
| _plans/secret-key.md | Adds implementation plan document for Rust core SecretKey. |
| _plans/secret-key-wrappers.md | Adds implementation plan document for exposing SecretKey in wrappers. |
Files not reviewed (1)
- wrappers/wasm/demo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sébastien Duquette (sduquette-devolutions)
requested a review
from a team
as a code owner
Contributor
|
Codex (@codex) review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 85238b9acd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
Sébastien Duquette (sduquette-devolutions)
merged commit 1b7e7f5
into
master
27 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a wrapped SecretKey type analogous to PrivateKey/PublicKey.
Ciphertext::encrypt_with_secret_keyandCiphertext::decrypt_with_secret_keytake the key as a SecretKey instead of raw bytes.
Methods encrypt_with_raw_key and decrypt_with_raw_key were defined,
encrypt/decrypt call these methods.