Module encryption 

AES-256-GCM encryption and HMAC-SHA256 integrity for Raft log payloads.

This module provides per-entry encryption using HKDF-derived keys and nonces, plus HMAC-based integrity verification for the encrypted log chain.

Design

• Each log entry’s AES-256-GCM key and nonce are deterministically derived from the master key and the entry index via HKDF-SHA256, so no nonce reuse is possible within a key epoch.
• HMAC-SHA256 is computed over entry_index_le || nonce || ciphertext to provide additional chain integrity beyond what GCM authentication already gives.

Structs

EncryptedPayload

The encrypted form of a single Raft log entry payload.

EntryEncryptor

Encrypts and decrypts Raft log entry payloads using AES-256-GCM.

LogEncryptionKey

A 32-byte master key used to derive per-entry AES-256-GCM keys and nonces.

LogIntegrityVerifier

HMAC-SHA256 integrity verifier for encrypted Raft log entries.