Secure File Handling in Rust: Best Practices for Managing Sensitive Data

By Robert F4 min readMarch 1, 2026

Understanding File Permissions

When working with files, it is crucial to set appropriate permissions to restrict access to sensitive information. Rust's standard library provides the std::fs module for file operations, which we can use to set permissions.

Example: Setting File Permissions

use std::fs::{File, OpenOptions};
use std::os::unix::fs::PermissionsExt;
use std::io::{self, Write};

fn create_secure_file(path: &str, content: &str) -> io::Result<()> {
    let mut file = OpenOptions::new()
        .write(true)
        .create(true)
        .open(path)?;

    file.write_all(content.as_bytes())?;

    // Set file permissions to read/write for the owner only
    let mut permissions = file.metadata()?.permissions();
    permissions.set_mode(0o600); // rw------- (owner only)
    std::fs::set_permissions(path, permissions)?;

    Ok(())
}

fn main() {
    if let Err(e) = create_secure_file("sensitive_data.txt", "This is sensitive data.") {
        eprintln!("Error creating secure file: {}", e);
    }
}

In this example, we create a file with permissions set to 600, allowing only the owner to read and write. This is crucial for protecting sensitive data from unauthorized access.

Encrypting File Contents

To further enhance security, it is advisable to encrypt sensitive data before writing it to disk. The aes crate can be used for AES encryption in Rust. Below is an example of how to encrypt and decrypt file contents.

Example: File Encryption and Decryption

First, add the necessary dependencies in your Cargo.toml:

[dependencies]
aes = "0.7"
block-modes = "0.8"
rand = "0.8"

Now, let's implement encryption and decryption functions:

use aes::{Aes128, BlockEncrypt, BlockDecrypt, NewBlockCipher};
use block_modes::{BlockMode, Cbc};
use block_modes::block_padding::Pkcs7;
use rand::Rng;
use std::fs::{File, OpenOptions};
use std::io::{self, Read, Write};

type Aes128Cbc = Cbc<Aes128, Pkcs7>;

fn encrypt_file(path: &str, key: &[u8; 16], iv: &[u8; 16]) -> io::Result<()> {
    let mut file = File::open(path)?;
    let mut data = Vec::new();
    file.read_to_end(&mut data)?;

    let cipher = Aes128Cbc::new_from_slices(key, iv).unwrap();
    let encrypted_data = cipher.encrypt_vec(&data);

    let mut output_file = OpenOptions::new()
        .write(true)
        .create(true)
        .open(format!("{}.enc", path))?;
    output_file.write_all(&encrypted_data)?;

    Ok(())
}

fn decrypt_file(path: &str, key: &[u8; 16], iv: &[u8; 16]) -> io::Result<()> {
    let mut file = File::open(path)?;
    let mut data = Vec::new();
    file.read_to_end(&mut data)?;

    let cipher = Aes128Cbc::new_from_slices(key, iv).unwrap();
    let decrypted_data = cipher.decrypt_vec(&data).unwrap();

    let mut output_file = OpenOptions::new()
        .write(true)
        .create(true)
        .open(format!("{}.dec", path))?;
    output_file.write_all(&decrypted_data)?;

    Ok(())
}

fn main() {
    let key = b"an_example_of_key"; // 16 bytes for AES-128
    let iv = b"unique_initializ";   // 16 bytes IV

    if let Err(e) = encrypt_file("sensitive_data.txt", key, iv) {
        eprintln!("Error encrypting file: {}", e);
    }

    if let Err(e) = decrypt_file("sensitive_data.txt.enc", key, iv) {
        eprintln!("Error decrypting file: {}", e);
    }
}

In this code, we encrypt and decrypt files using AES-128 in CBC mode. The key and IV (initialization vector) must be kept secret and unique for each encryption operation.

Secure File Deletion

When sensitive files are no longer needed, it is essential to securely delete them to prevent unauthorized recovery. Simply removing the file may not be sufficient, as underlying data may remain on disk. Rust does not provide built-in secure deletion, but we can overwrite the file contents before deletion.

Example: Secure File Deletion

use std::fs::{remove_file, OpenOptions};
use std::io::{self, Write};

fn secure_delete_file(path: &str) -> io::Result<()> {
    // Overwrite the file with zeros
    let mut file = OpenOptions::new()
        .write(true)
        .open(path)?;
    file.write_all(&vec![0; 1024])?; // Overwrite with zeros (adjust size as needed)

    // Remove the file
    remove_file(path)?;
    Ok(())
}

fn main() {
    if let Err(e) = secure_delete_file("sensitive_data.txt") {
        eprintln!("Error securely deleting file: {}", e);
    }
}

In this example, we overwrite the file with zeros before deleting it, making it more difficult for unauthorized users to recover the original data.

Summary of Best Practices

Practice	Description
Set Appropriate Permissions	Use `chmod` to restrict access (e.g., `600` for owner only).
Encrypt Sensitive Data	Use encryption libraries like `aes` to protect data at rest.
Use Secure Deletion	Overwrite files before deletion to prevent data recovery.
Validate File Operations	Always check for errors during file operations to prevent data loss.

Conclusion

Secure file handling is a critical aspect of application security. By following best practices such as setting appropriate file permissions, encrypting sensitive data, and implementing secure deletion, developers can significantly reduce the risk of data breaches. Rust's powerful features combined with these practices create a robust environment for managing sensitive information securely.