Switch the default crypto provider

This document describes how to switch the default rustls crypto provider in Rust. You may want to switch the default crypto provider if your application has specific requirements not met by our default.

The Rust client libraries use Rustls to secure the communication between your application and Google Cloud. Rustls can use different providers for cryptographic functions. By default, the client libraries enable the aws-lc-rs provider. The client libraries use this as a default as it is based on BoringSSL, a well-regarded crypto library implemented by Google, and it is the only Rust crypto provider that is FIPS certified.

Nevertheless, some applications may need to use a different provider. This guide shows you how to disable the default provider and configure your own, using google-cloud-storage to illustrate how to change the requirements for Rust, with ring as an alternative crypto provider. This process can be customized for other client libraries. Consult the rustls documentation for additional providers.

Use the client libraries with the default crypto provider

To use the default crypto provider, add the client library as a dependency to your Cargo.toml file:

[dependencies]
google-cloud-storage = { version = "1" }

Use the default crypto provider with other default features disabled

Some applications prefer to disable all the default features in their dependencies and then only enable the features they want to use. For example, your Cargo.toml may read:

[dependencies]
google-cloud-storage = { version = "1", default-features = false }

To enable only the default provider feature use:

[dependencies]
google-cloud-storage = { version = "1", default-features = false, features = ["default-rustls-provider"] }

Use your own crypto provider

To select your own provider:

  1. Add Rust with the default features disabled and include any dependencies needed for your provider. In this guide, we are using ring:

    You must use the same version of `rustls` as `google-cloud-storage`. 
    [dependencies]
google-cloud-storage = { version = "1", default-features = false }
rustls               = { version = "0.23", features = ["ring"] }

  2. Change your main() function to install this provider:

    use rustls::crypto::{CryptoProvider, ring::default_provider};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    // Install a default crypto provider.
    CryptoProvider::install_default(default_provider())
        .map_err(|_| anyhow::anyhow!("default crypto provider already installed"))?;
    // ... ... ...
    Ok(())
}