Keyczar - Google's crypto for non-cryptographers

Google has released Keyczar, billed as a "Toolkit for safe and simple cryptography", under an Apache 2.0 open source licence. Keyczar has been developed by members of the Google security team and aims to make cryptography more accessible to application developers.

Keyczar's design goals were to manage the complexity of cryptography for developers who are not cryptographically aware. Keyczar's developers point to how these developers may choose wrong cipher modes, use an obsolete algorithm or just forget they will need to rotate keys. To avoid this problem, Keyczar abstracts ways these issues with a simple programming interface and adds a key versioning system which tags output with version information and makes it easy to rotate and revoke keys.

Keyczar has been released as Java and Python packages, with C++ to follow. An example of using the API in Java was shown by Google;

    Crypter crypter = new Crypter("/path/to/your/keys");
    String ciphertext = crypter.encrypt("Secret message");

Keyczar does not replace existing crypto libraries like OpenSSL, PyCrypto or JCE, but builds on them. But, it isn't backwards compatible with older crypto output formats. The Keyczar site also has Non-Goals noting what else the developers won't be doing. This also points out that Keyczar is currently not ideal for very short blobs of data because it adds a 40-50 byte overhead or for huge file encryption because of its orientation to in-memory plaintext encryption.

The Keyczar code and documentation are available on Google Code.

(djwm)