Cryptography is the process of transforming information into a secure format, mostly by encryption. Encryption ensures that data passing through the web is safe and reliable.
Although Rust has a random number generator, the main suite in use today is OpenSSL. As you’ll see in this guide, the Rust ecosystem offers an expansive range of rich-featured cryptography libraries to help you keep data safe in transit to and from your applications.
In this guide, we’ll review the state of cryptography in Rust and compare some open-source encryption libraries, including:
The Replay is a weekly newsletter for dev and engineering leaders.
Delivered once a week, it's your curated guide to the most important conversations around frontend dev, emerging AI tools, and the state of modern software.
With cryptography suites, you can secure a network connection that uses TLS or SSL. In this section, we’ll look at some open-source Rust suites, evaluating each for stability and production readiness.
opensslopenssl provides a safe interface to the popular OpenSSL cryptography library. This library has 123 versions published, with the latest stable version being 0.10.30. openssl is licensed under Apache 2.0.
To use openssl, add the code below to your cargo.toml file.
openssl = "0.10.30"
orionorion aims to minimize the use of unsafe code. The library supports Rust 1.41 or later and the following crypto methods.
This library is licensed under MIT and currently has 68 versions published, the of which is 0.15.4. To use the current version of this library, add the following codes to your cargo.toml file:
orion = "0.15.4"
By default, orion uses STD. To use orion in a no_std context, you need to specify the dependency by writing the code below.
orion = { version = "*", default-features = false }
# Replace * with the most recent version
Argon2i will not be available with no_std. To allow Argon2i, you have to enable the alloc feature.
[dependencies.orion] version = "*" # Replace * with the most recent version default-features = false features = ["alloc"]
libsodium-syslibsodium-sys is an open-source Rust bindings to the sodium library. This library has 24 versions published. Its latest stable version is 0.2.6. The library is licensed under Apache-2.0/MIT.
The bind functions that can be used for libsodium-sys are as follows:
crypto::box_ and crypto::sign for public-key cryptographycrypto::sealedbox for sealed boxescrypto::secretbox, crypto::stream, crypto::auth, and crypto::onetimeauth for secret-key cryptographycrypto::hash, crypto::verify, and crypto::shorthash for low-level functionsgpgmeThis is a GnuPG Made Easy (GPGME) library for Rust. Using GnuPG directly from an application can be complicated; GPGME makes access to GnuPG (GNU Privacy Guard) much easier.
The most stable version of this library, 0.9.2, does not support the bundling of the gpgme library source to attempt build via the buildscript.
To use gpgme, add the following to your cargo.toml file.
gpgme = "0.9.2"
This library is licensed under LGPL-2.1 and has 14 versions published.
ringThis open-source library allows us to build safe, fast, and small crypto applications using Rust with BoringSSL’s cryptography primitives. ring has 94 versions published. Its most recent and stable version is ring 0.16.15.
Ring has the following features.
alloc (default), which enables features that require use of the heap, RSA in particulardev_urandom_fallback (default), which causes ring::rand::SystemRandom to fall back to /dev/urandom by default when the getrandom() syscall isn’t supported at runtime. dev_urandom_fallback is only currently supported by Linux OSstd, which enables features that use libstd, especially the std::error::Error featureTo use the latest version of this library, add the following code to your cargo.toml file.
ring = "0.16.15"
Do you ever wonder how information can be secure given the inherent predictability of computer/programming algorithms (e.g., you could determine an output by feeding in an input)? Random number generators take in nondeterministic inputs (such as phase noise or clock signals) and generate unpredictable numbers as the output.
Below are some of the best and most production-ready random number generators for Rust.
Learn more →randrand is a Rust library for random number generation. Random numbers are generated and converted to useful types, distributions, and some randomness-related algorithms.
rand version 0.7 requires rustc version 1.32 or greater. Meanwhile, rand 0.5 requires rustc 1.22 or greater and versions 0.4 and 0.3 require rustc version 1.15 or greater (since approx. June 2017).
Some of the rand code may work with older Rust versions, but it is not recommended to use it. rand has 62 versions published, with one version yanked (unreleased) version, 0.7.1.
To use the current version of rand, add the following to your cargo.toml file.
[dependencies] rand = "0.7"
uuiduuid creates and parses universally unique identifiers (UUIDs), which are unique 128-bit numbers stored as 16 octets. With UUIDs, unique identifiers can be assigned to entities without requiring a central allocating authority.
This library has 45 versions published, the latest being 0.8.1.
To use uuid, add the following to your cargo.toml file.
[dependencies] uuid = "0.8"
Passwords are a form of encryption that help us create strong cryptographic keys. With password-based encryption, users can create strong secret keys based on the password they provide.
bcryptbcrypt is an open-source library that lets you easily hash and verify passwords on Rust. This library has 21 versions; the latest is version 0.8.2.
To use bcrypt, add the following to your cargo.toml file.
bcrypt = "0.8.2"
This version of bcrypt supports version 1.36.0 as the minimum version of Rust.
djangohashersdjangohashers is a Rust port of the password primitives that are used in Django projects. Although Django has the django.contrib.auth.models.User class, which consists of a few methods to deal with passwords, such as set_password() and check_password(), djangohashers executes the primitive functions behind those methods. You can use the password hash algorithm of this library in any Rust project.
djangohashers has 23 versions published. The most recent stable version is 1.3.1.
To install djangohashers, add the dependency to your cargo.toml file.
[dependencies] djangohashers = "^1.3"
pwhashThis Rust open-source library consists of a collection of password hashing and verification routines.
With pwhash, you can verify a password against a hash with the verify() function. You can also hash a password with default algorithm-specific parameters or customized parameters with the hash() and hash_with() functions, respectively.
This library has published five versions at the time of writing, with the most stable version being 0.3.1.
With Transport Layer Security (TLS), data sent over the internet is encrypted to keep private and sensitive information safe from bad actors.
The following libraries offer the TLS protocol for Rust-based applications.
rustlsrustls, pronounced “rustless,” is a modern library that implements TLS for Rust. It uses the ring library for cryptography libwebpki for certificate verification.
rustls assures of high level cryptographic security with no configuration required. It has 29 published versions; the most stable is version 0.18.1.
To use the current version of rustls, add the following to your cargo.toml file.
rustls = "0.18.1"
tokio-openssltokio-openssl is an implementation of SSL streams for Tokio, an asynchronous runtime for Rust, backed by OpenSSL.
tokio-openssl is licensed under MIT/Apache-2.0, and the latest stable version is 0.4.0.
To use this version, add the following to your cargo.toml file.
tokio-openssl = "0.4.0"
tokio-rustlstokio-rustls is an asynchronous TLS/SSL stream for Tokio using the rustls library. This library currently has 56 versions, with the current stable version being 0.14.1. tokio-rustls started as a fork from the Tokio-TLS project.
webpkiWith webpki, you can validate Web PKI (TLS/SSL) certificates. This library uses ring for signature verification.
With webpki, there’s no dispute to efficiency and safety because it uses Rust’s borrow checker to validate that its zero-copy parsing strategy is safe and efficient. webpki maintains a tight restriction on the amount of stack memory it uses, so it never allocates memory on the heap.
webpki has 40 versions released, the latest of which is 0.21.3. This library is not licensed and offers no warranty.
The importance of tools cannot be overemphasized in cryptography. The best ones make securing information between peers almost seamless.
Let’s zoom in on some of the most popular encryption tools for Rust, including services ranging from token management, to file management, to cookie management.
tempfileImagine you want to create a file but don’t care about its name or location since it’s a temporal file that you wish to urgently work on and delete later. The tempfile library deletes the file once you’re done.
This tool enables you to delete temporary files and directories with the tempfile() and tempdir() function.
tempfile is licensed under MIT/Apache 2.0 and has 35 versions; the most recent is 3.1.0.
cookieTo put it simply, cookie enhances HTTP cookie parsing and cookie jar management. This library is licensed under MIT or Apache 2.0 and has 62 versions (the most recent version is 0.14.2). cookie has been downloaded nearly 6 million times.
frank_jwtEver heard of JSON Web Token (JWT)? You can pass claims securely between two parties by decoding, verifying, and generating encoded credentials called JWT. frank_jwt is an implementation of JSON Web Tokens in Rust.
This library supports cryptographic algorithm and is licensed under Apache 2.0 and has 14 versions at the time of writing.
Hashing in cryptography means converting data into unique strings that are undecipherable to humans. Here’s a simple example of data and its equivalent hash string:
Data: Hello Hash: f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
Let’s zoom in on some libraries that offer hashing in Rust.
Note: Many of the libraries mentioned in the “Password-based encryption for Rust” section can also be used for hashing in Rust.
rust-fnvFNV (Fowler/Noll/Vo) is a custom hasher implementation that is fast and has good dispersion. While the default hasher implementation, SipHash, is good in many cases, it’s usually slower than other algorithms with short keys.
rust-fnv performs faster on algorithms with short keys. The disadvantage of rust-fnv is that it performs poorly on larger inputs and provides no protection against collision attack.
This library is licensed under Apache 2.0/MIT, it has eight published versions.
twox-hashThis library is a Rust implementation of XXHash algorithm, a fast Hash algorithm that runs at RAM speed limits.
To use this twox-hash, add the following to your cargo.toml file.
twox-hash = "1.5.0"
twox-hash has 13 versions with two versions yanked (unreleased). The most stable version of twox-hash, at the time of writing, is 1.5.0.
blake2-rfcIf you want a hash function that’s faster than MD5, SHA-1, SHA-2, and secure as the latest version of SHA-3, look no further than blake2-rfc.
blake2-rfc is a pure Rust implementation of BLAKE2, which is based on RFC 7693. It has 20 versions, the most recent being 0.2.18.
Algorithms are among the most widely used privacy protection methods. These are usually designed for data encryption, authentication, and digital signatures.
bulletproofsThis library enacts Bulletproofs using Ristretto. Ristretto is a technique for compressing curves (ellipse); it divides the curve’s cofactor by 4 or 8 to implement the prime-order group.
bulletproofs has eight versions published at the time of writing, with version 1.0.3 yanked.
curve25519-dalekThis open-source library is a Rust implementation of operations on Ristretto and Curve25519.
curve25519-dalek is built to provide a clean and safe mid-level API, executing ECC-based crypto protocols such as zero-knowledge proof systems, key agreement, signatures, and anonymous credentials.
This library is licensed under the BSD 3-Clause and has 64 versions published at the time of writing. Version 2.0.0 was yanked.
To use the latest released version of this library in your application, add the following code to your cargo.toml file.
curve25519-dalek = "3.0.0"
ed25519-dalekThis library is a fast and efficient Rust implementation of ed25519 key generation, signing, and verification in Rust.
With ed25519-dalek, ed25519 key generation, signing, and verification become easier and faster in Rust.
This library is licensed under the BSD 3-Clause and has over 28 versions published.
merlinmerlin provides a transcript-based RNG as defense-in-depth against bad-entropy attacks. merlin is a transcript construction for zero-knowledge proofs.
If you use merlin in your application, you can execute noninteractive protocols as if they were interactive. This is because merlin automates the Fiat-Shamir transform.
rust-secp256k1rust-secp256k1 is a wrapper around libsecp256k1, a library that can be used for producing ECDSA signatures using the SECG curve secp256k1.
You’ll love how efficient this library is; it makes no allocations (except in unit tests) for efficiency and use in freestanding implementations.
This library is licensed under CC0-1.0 and has 63 versions published.
subtleThis is an open-source library for constant-time cryptographic implementations.
subtle supports a minimum of Rust version 1.41. There have been 24 versions published, the latest being 2.3.0; version 2.2.0 has been yanked.
x25519-dalekThis is a pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek.
x25519-dalek has 17 versions published; 1.1.0 is the most recent.
To use x25519-dalek in your application, add the following to your cargo.toml file.
x25519-dalek = "1.1.0"
zkpThis library implements the zero-knowledge proof according to Schnorr style. That means zkp can verify the validity of a statement without releasing any knowledge aside from the validity of a statement (sensitive information).
zkp provides two levels of API: a higher-level, declarative API based on the define_proof macro and a lower-level, imperative API inspired by Bellman, which provides a constraint system for Schnorr-style statements.
zkp is licensed under CC0-1.0. It has 12 versions, of which four have been yanked.
Whether you’re writing in Rust or some other programming language, you should always use encryption when transferring information over the internet. As you can tell by the wide variety of popular, production-ready cryptography suites, random number generators, password solutions, TLS, tools, and algorithms available, the state of crypto in Rust is quite strong.
We have seen the different sections housing different methods cryptography can be performed and libraries that help secure parsing of data in Rust based applications.
If you would love to read more about cryptography as pertains to Rust, check out Rust Cryptography.
Thank you for your time! Please do contact me on twitter if you have any questions or suggestions concerning this article.
Debugging Rust applications can be difficult, especially when users experience issues that are hard to reproduce. If you’re interested in monitoring and tracking the performance of your Rust apps, automatically surfacing errors, and tracking slow network requests and load time, try LogRocket.
LogRocket lets you replay user sessions, eliminating guesswork around why bugs happen by showing exactly what users experienced. It captures console logs, errors, network requests, and pixel-perfect DOM recordings — compatible with all frameworks.
LogRocket's Galileo AI watches sessions for you, instantly identifying and explaining user struggles with automated monitoring of your entire product experience.
Modernize how you debug your Rust apps — start monitoring for free.
:has(), with examplesThe CSS :has() pseudo-class is a powerful new feature that lets you style parents, siblings, and more – writing cleaner, more dynamic CSS with less JavaScript.
Kombai AI converts Figma designs into clean, responsive frontend code. It helps developers build production-ready UIs faster while keeping design accuracy and code quality intact.
Discover what’s new in The Replay, LogRocket’s newsletter for dev and engineering leaders, in the October 22nd issue.
John Reilly discusses how software development has been changed by the innovations of AI: both the positives and the negatives.
Hey there, want to help make our blog better?
Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.
Sign up now
