rust-lang · Carbonhell · Feb 10, 2026 · Feb 14, 2026 · Feb 25, 2026 · ubiratansoares
@@ -100,7 +100,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.WRITE_GITHUB_TOKEN }}
           MAILGUN_API_TOKEN: ${{ secrets.MAILGUN_API_TOKEN }}
-          EMAIL_ENCRYPTION_KEY: ${{ secrets.EMAIL_ENCRYPTION_KEY }}
+          EMAIL_PRIVATE_KEY: ${{ secrets.EMAIL_PRIVATE_KEY }}
           ZULIP_API_TOKEN: ${{ secrets.ZULIP_API_TOKEN }}
           ZULIP_USERNAME: ${{ secrets.ZULIP_USERNAME }}
           CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}

@@ -46,6 +46,8 @@ ansi_term = "0.12.1"
 atty = "0.2.14"
 base64 = "0.22"
 chacha20poly1305 = "0.9.0"
+x25519-dalek = "2.0.1"
+blake3 = "1.8.3"
 clap = "4.5"
 derive_builder = "0.20.2"
 dialoguer = "0.10.1"

diff --git a/README.md b/README.md
@@ -187,15 +187,15 @@ it. Encrypted email addresses look like this:
 encrypted+3eeedb8887004d9a8266e9df1b82a2d52dcce82c4fa1d277c5f14e261e8155acc8a66344edc972fa58b678dc2bcad2e8f7c201a1eede9c16639fe07df8bac5aa1097b2ad9699a700edb32ef192eaa74bf7af0a@rust-lang.invalid
 ```
 
-The production key is accessible to select Infrastructure Team members, so if
-you need to add an encrypted email address you'll need to reach out to that
-team. The key is stored in the following parameter on AWS SSM Parameter Store:
+The `cargo run encrypt-email` CLI command can be used to encrypt an email address in a self-service manner.
+Decryption is automatically done as part of the sync process executed in the CI.
+
+The production private key is accessible to select Infrastructure Team members, and
+it is stored in the following parameter on AWS SSM Parameter Store:
 
 ```
 /prod/sync-team/email-encryption-key
 ```
 
-The `cargo run encrypt-email` and `cargo run decrypt-email` interactive CLI
-commands are available for infra team members to interact with encrypted
-emails. The `rust_team_data` (with the `email-encryption` feature enabled) also
+The `rust_team_data` (with the `email-encryption` feature enabled) also
 provides a module to programmatically encrypt and decrypt.
diff --git a/people/camelid.toml b/people/camelid.toml
@@ -2,4 +2,4 @@ name = 'Noah Lev'
 github = 'camelid'
 github-id = 37223377
 zulip-id = 307537
-email = "encrypted+ebe6f3cec2ee373b57408f88ad0f14dc86c1f1bfaf7829aa5628073ae74e78ae52bc02b1b3ae221ed92284b923258b53a2572142cd62de3f92244cb7045d9058@rust-lang.invalid"
+email = "encrypted+02728fc388dadf662dc77fcec3e7c6d5ed7ae47a92026fc9c75744c45b9427564b4123afcacfdc46a5b0a8a8ebc414adecdd37d617e0a6cea3678488ea95fc84634266bebba24e96d44fd7b7f9fc5c5545eeb8650d5c19582797c70a39c30507@rust-lang.invalid"
@@ -6,10 +6,12 @@ license.workspace = true
 
 [dependencies]
 chacha20poly1305 = { workspace = true, optional = true }
+x25519-dalek = { workspace = true, optional = true, features = ["getrandom", "static_secrets"] }
+blake3 = {workspace = true, optional = true}
 getrandom = { workspace = true, optional = true }
 hex = { workspace = true, optional = true }
 indexmap = { workspace = true, features = ["serde"] }
 serde = { workspace = true, features = ["derive"] }
 
 [features]
-email-encryption = ["chacha20poly1305", "getrandom", "hex"]
+email-encryption = ["chacha20poly1305", "x25519-dalek", "blake3", "getrandom", "hex"]