remote encryption poc

jussisaurio · avinassh · commit b07ae02a80d1 · 2025-07-04T20:36:26.000+05:30
diff --git a/libsql/src/database.rs b/libsql/src/database.rs
@@ -100,6 +100,7 @@ enum DbType {
         auth_token: String,
         connector: crate::util::ConnectorService,
         _bg_abort: Option<std::sync::Arc<crate::sync::DropAbort>>,
+        remote_encryption: Option<crate::sync::EncryptionContext>,
     },
     #[cfg(feature = "remote")]
     Remote {
@@ -214,7 +215,7 @@ cfg_replication! {
                 endpoint,
                 auth_token,
                 https,
-                encryption_config
+                encryption_config,
             ).await
         }
 
@@ -524,7 +525,7 @@ cfg_remote! {
             url: impl Into<String>,
             auth_token: impl Into<String>,
             connector: C,
-            version: Option<String>
+            version: Option<String>,
         ) -> Result<Self>
         where
             C: tower::Service<http::Uri> + Send + Clone + Sync + 'static,
@@ -677,6 +678,7 @@ impl Database {
                 url,
                 auth_token,
                 connector,
+                remote_encryption,
                 ..
             } => {
                 use crate::{
@@ -708,6 +710,7 @@ impl Database {
                             connector.clone(),
                             None,
                             None,
+                            remote_encryption.clone()
                         ),
                         read_your_writes: *read_your_writes,
                         context: db.sync_ctx.clone().unwrap(),
@@ -738,6 +741,7 @@ impl Database {
                         connector.clone(),
                         version.as_ref().map(|s| s.as_str()),
                         namespace.as_ref().map(|s| s.as_str()),
+                        None,
                     ),
                 );
 
diff --git a/libsql/src/database/builder.rs b/libsql/src/database/builder.rs
@@ -5,6 +5,8 @@ cfg_core! {
 use super::DbType;
 use crate::{Database, Result};
 
+pub use crate::sync::EncryptionContext;
+
 /// A builder for [`Database`]. This struct can be used to build
 /// all variants of [`Database`]. These variants include:
 ///
@@ -50,6 +52,8 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
+            #[cfg(feature = "sync")]
+            remote_encryption: Option<crate::sync::EncryptionContext>,
         ) -> Builder<RemoteReplica> {
             Builder {
                 inner: RemoteReplica {
@@ -68,6 +72,8 @@ impl Builder<()> {
                     skip_safety_assert: false,
                     #[cfg(feature = "sync")]
                     sync_protocol: Default::default(),
+                    #[cfg(feature = "sync")]
+                    remote_encryption,
                 },
             }
         }
@@ -92,6 +98,7 @@ impl Builder<()> {
             path: impl AsRef<std::path::Path>,
             url: String,
             auth_token: String,
+            remote_encryption: Option<EncryptionContext>,
         ) -> Builder<SyncedDatabase> {
             Builder {
                 inner: SyncedDatabase {
@@ -109,6 +116,7 @@ impl Builder<()> {
                     remote_writes: false,
                     push_batch_size: 0,
                     sync_interval: None,
+                    remote_encryption,
                 },
             }
         }
@@ -229,6 +237,8 @@ cfg_replication! {
         skip_safety_assert: bool,
         #[cfg(feature = "sync")]
         sync_protocol: super::SyncProtocol,
+        #[cfg(feature = "sync")]
+        remote_encryption: Option<crate::sync::EncryptionContext>,
     }
 
     /// Local replica configuration type in [`Builder`].
@@ -345,6 +355,8 @@ cfg_replication! {
                 skip_safety_assert,
                 #[cfg(feature = "sync")]
                 sync_protocol,
+                #[cfg(feature = "sync")]
+                remote_encryption,
             } = self.inner;
 
             let connector = if let Some(connector) = connector {
@@ -403,7 +415,7 @@ cfg_replication! {
 
                         if res.status().is_success() {
                             tracing::trace!("Using sync protocol v2 for {}", url);
-                            let builder = Builder::new_synced_database(path, url, auth_token)
+                            let builder = Builder::new_synced_database(path, url, auth_token, remote_encryption)
                                 .connector(connector)
                                 .remote_writes(true)
                                 .read_your_writes(read_your_writes);
@@ -553,6 +565,7 @@ cfg_sync! {
         read_your_writes: bool,
         push_batch_size: u32,
         sync_interval: Option<std::time::Duration>,
+        remote_encryption: Option<crate::sync::EncryptionContext>,
     }
 
     impl Builder<SyncedDatabase> {
@@ -617,6 +630,7 @@ cfg_sync! {
                 read_your_writes,
                 push_batch_size,
                 sync_interval,
+                remote_encryption,
             } = self.inner;
 
             let path = path.to_str().ok_or(crate::Error::InvalidUTF8Path)?.to_owned();
@@ -640,6 +654,7 @@ cfg_sync! {
                 flags,
                 url.clone(),
                 auth_token.clone(),
+                remote_encryption.clone(),
             )
             .await?;
 
@@ -708,6 +723,8 @@ cfg_sync! {
                     auth_token,
                     connector,
                     _bg_abort: bg_abort,
+                    #[cfg(feature = "sync")]
+                    remote_encryption,
                 },
                 max_write_replication_index: Default::default(),
             })
diff --git a/libsql/src/hrana/hyper.rs b/libsql/src/hrana/hyper.rs
@@ -27,25 +27,29 @@ pub struct HttpSender {
     inner: hyper::Client<ConnectorService, hyper::Body>,
     version: HeaderValue,
     namespace: Option<HeaderValue>,
+    #[cfg(feature = "sync")]
+    remote_encryption: Option<crate::sync::EncryptionContext>,
 }
 
 impl HttpSender {
     pub fn new(
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
+        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
     ) -> Self {
         let ver = version.unwrap_or(env!("CARGO_PKG_VERSION"));
 
         let version = HeaderValue::try_from(format!("libsql-remote-{ver}")).unwrap();
         let namespace = namespace.map(|v| HeaderValue::try_from(v).unwrap());
 
         let inner = hyper::Client::builder().build(connector);
-
         Self {
             inner,
             version,
             namespace,
+            #[cfg(feature = "sync")]
+            remote_encryption,
         }
     }
 
@@ -63,6 +67,13 @@ impl HttpSender {
             req_builder = req_builder.header("x-namespace", namespace);
         }
 
+        if let Some(remote_encryption) = &self.remote_encryption {
+            req_builder = req_builder.header(
+                "x-turso-encryption-key",
+                remote_encryption.key_16_bytes_base64_encoded.as_str(),
+            );
+        }
+
         let req = req_builder
             .body(hyper::Body::from(body))
             .map_err(|err| HranaError::Http(format!("{:?}", err)))?;
@@ -126,8 +137,15 @@ impl HttpConnection<HttpSender> {
         connector: ConnectorService,
         version: Option<&str>,
         namespace: Option<&str>,
+        #[cfg(feature = "sync")] remote_encryption: Option<crate::sync::EncryptionContext>,
     ) -> Self {
-        let inner = HttpSender::new(connector, version, namespace);
+        let inner = HttpSender::new(
+            connector,
+            version,
+            namespace,
+            #[cfg(feature = "sync")]
+            remote_encryption,
+        );
         Self::new(url.into(), token.into(), inner)
     }
 }
diff --git a/libsql/src/lib.rs b/libsql/src/lib.rs
@@ -132,6 +132,7 @@ pub mod params;
 cfg_sync! {
     mod sync;
     pub use database::SyncProtocol;
+    pub use sync::EncryptionContext;
 }
 
 cfg_replication! {
diff --git a/libsql/src/local/database.rs b/libsql/src/local/database.rs
@@ -212,6 +212,7 @@ impl Database {
         flags: OpenFlags,
         endpoint: String,
         auth_token: String,
+        remote_encryption: Option<crate::sync::EncryptionContext>,
     ) -> Result<Database> {
         let db_path = db_path.into();
         let endpoint = if endpoint.starts_with("libsql:") {
@@ -222,7 +223,7 @@ impl Database {
         let mut db = Database::open(&db_path, flags)?;
 
         let sync_ctx =
-            SyncContext::new(connector, db_path.into(), endpoint, Some(auth_token)).await?;
+            SyncContext::new(connector, db_path.into(), endpoint, Some(auth_token), remote_encryption).await?;
         db.sync_ctx = Some(Arc::new(Mutex::new(sync_ctx)));
 
         Ok(db)
diff --git a/libsql/src/sync.rs b/libsql/src/sync.rs
@@ -118,6 +118,16 @@ struct PushFramesResult {
     baton: Option<String>,
 }
 
+#[derive(Debug, Clone)]
+pub struct EncryptionContext {
+    /// The base64-encoded key for the encryption, sent on every request.
+    pub key_16_bytes_base64_encoded: String,
+    /// Whether the pushed frames are already encrypted.
+    pub push_is_encrypted: bool,
+    /// Whether to request the server to decrypt the pulled frames.
+    pub decrypt_pull: bool,
+}
+
 pub struct SyncContext {
     db_path: String,
     client: hyper::Client<ConnectorService, Body>,
@@ -133,6 +143,8 @@ pub struct SyncContext {
     /// whenever sync is called very first time, we will call the remote server
     /// to get the generation information and sync the db file if needed
     initial_server_sync: bool,
+    /// The encryption context for the sync.
+    remote_encryption: Option<EncryptionContext>,
 }
 
 impl SyncContext {
@@ -141,6 +153,7 @@ impl SyncContext {
         db_path: String,
         sync_url: String,
         auth_token: Option<String>,
+        remote_encryption: Option<EncryptionContext>,
     ) -> Result<Self> {
         let client = hyper::client::Client::builder().build::<_, hyper::Body>(connector);
 
@@ -163,6 +176,7 @@ impl SyncContext {
             durable_generation: 0,
             durable_frame_num: 0,
             initial_server_sync: false,
+            remote_encryption,
         };
 
         if let Err(e) = me.read_metadata().await {
@@ -303,6 +317,16 @@ impl SyncContext {
                 None => {}
             }
 
+            if let Some(remote_encryption) = &self.remote_encryption {
+                if remote_encryption.decrypt_pull {
+                    req = req.header("x-turso-decrypt-response", "true");
+                }
+                if remote_encryption.push_is_encrypted {
+                    req = req.header("x-turso-encrypted-request", "true");
+                }
+                req = req.header("x-turso-encryption-key", remote_encryption.key_16_bytes_base64_encoded.as_str());
+            }
+
             let req = req.body(body.clone().into()).expect("valid body");
 
             let res = self
@@ -414,6 +438,16 @@ impl SyncContext {
                 None => {}
             }
 
+            if let Some(remote_encryption) = &self.remote_encryption {
+                if remote_encryption.decrypt_pull {
+                    req = req.header("x-turso-decrypt-response", "true");
+                }
+                if remote_encryption.push_is_encrypted {
+                    req = req.header("x-turso-encrypted-request", "true");
+                }
+                req = req.header("x-turso-encryption-key", remote_encryption.key_16_bytes_base64_encoded.as_str());
+            }
+
             let req = req.body(Body::empty()).expect("valid request");
 
             let res = self
@@ -577,6 +611,16 @@ impl SyncContext {
             req = req.header("Authorization", auth_token);
         }
 
+        if let Some(remote_encryption) = &self.remote_encryption {
+            if remote_encryption.decrypt_pull {
+                req = req.header("x-turso-decrypt-response", "true");
+            }
+            if remote_encryption.push_is_encrypted {
+                req = req.header("x-turso-encrypted-request", "true");
+            }
+            req = req.header("x-turso-encryption-key", remote_encryption.key_16_bytes_base64_encoded.as_str());
+        }
+
         let req = req.body(Body::empty()).expect("valid request");
 
         let res = self
@@ -673,6 +717,16 @@ impl SyncContext {
             req = req.header("Authorization", auth_token);
         }
 
+        if let Some(remote_encryption) = &self.remote_encryption {
+            if remote_encryption.decrypt_pull {
+                req = req.header("x-turso-decrypt-response", "true");
+            }
+            if remote_encryption.push_is_encrypted {
+                req = req.header("x-turso-encrypted-request", "true");
+            }
+            req = req.header("x-turso-encryption-key", remote_encryption.key_16_bytes_base64_encoded.as_str());
+        }
+
         let req = req.body(Body::empty()).expect("valid request");
 
         let (res, http_duration) =

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ pub mod params;`
`132`	`132`	`cfg_sync! {`
`133`	`133`	`mod sync;`
`134`	`134`	`pub use database::SyncProtocol;`
	`135`	`+ pub use sync::EncryptionContext;`
`135`	`136`	`}`
`136`	`137`
`137`	`138`	`cfg_replication! {`