xtrace_sdk.x_vec.crypto.encryption.aes

Classes

AESClient

AES-GCM encryption client.

Functions

_legacy_cbc_decrypt(passphrase, enc)

Decrypt ciphertext produced by the pre-v0.2 AES-CBC implementation.

Module Contents

xtrace_sdk.x_vec.crypto.encryption.aes._legacy_cbc_decrypt(passphrase, enc)

Decrypt ciphertext produced by the pre-v0.2 AES-CBC implementation.

Old wire format: base64( IV[16] || CBC_ciphertext ) Old key derivation: SHA-256(passphrase)

Use this in migration scripts to re-encrypt data with the current AES-GCM format.

Parameters:

• passphrase (str)

• enc (bytes)

Return type:

str

class xtrace_sdk.x_vec.crypto.encryption.aes.AESClient(key)

AES-GCM encryption client.

Accepts a raw 256-bit key (typically supplied by a KeyProvider). Encryption uses AES-256-GCM which provides both confidentiality and authenticity. A random 16-byte nonce per operation ensures semantic security.

Parameters:

key (bytes)

_key

encrypt(raw)

AES-GCM encrypt a plaintext.

Parameters:

raw (str | bytes) – Plaintext string or bytes to encrypt.

Returns:

Base64-encoded bytes containing nonce + tag + ciphertext.

Return type:

bytes

decrypt(enc)

AES-GCM decrypt a ciphertext.

Parameters:

enc (bytes) – Base64-encoded ciphertext produced by encrypt().

Returns:

Decrypted plaintext string.

Return type:

str

Raises:

ValueError – If the ciphertext is corrupted or the key is wrong.