Struct ConfigEncryptor 

pub struct ConfigEncryptor { /* private fields */ }

AES-GCM encrypted config store backed by the system keyring.

Uses PBKDF2-HMAC-SHA256 for key derivation from a machine-specific hostname:username material, and AES-256-GCM for authenticated encryption.

Wire format for AES-encrypted values: enc:<base64(nonce[12] || tag[16] || ciphertext)>

Keyring-stored values are referenced as: keyring:<key>

Implementations

impl ConfigEncryptor

pub fn new() -> Result<Self, ConfigDecryptionError>

Create a new ConfigEncryptor using the OS keyring when available.

pub fn new_forced_aes() -> Self

Create a ConfigEncryptor that always uses AES encryption, bypassing the OS keyring. Intended for use in tests running in headless/CI environments.

pub fn store( &self, key: &str, value: &str, ) -> Result<String, ConfigDecryptionError>

Persist value for key.

Tries the OS keyring first. On failure (headless / CI) falls back to AES-256-GCM file encryption.

Returns a config-file token:

• "keyring:<key>" when stored in the OS keyring.
• "enc:<base64>" when stored as an encrypted blob.

Security note

The enc: fallback path derives its encryption key from the machine’s hostname and the current username. This protects against casual file browsing but not against targeted attacks by co-tenants on shared systems who know both values. For sensitive credentials (API keys, tokens), prefer the keyring: path (OS keyring) when available, or use environment variables instead of config file storage.

pub fn retrieve( &self, config_value: &str, key: &str, ) -> Result<String, ConfigDecryptionError>

Retrieve the plaintext for a config value token.

Handles three formats:

• "keyring:<ref>" — fetch from OS keyring.
• "enc:<base64>" — base64-decode then AES-GCM decrypt.
• anything else — return as-is (plain passthrough).

Trait Implementations

impl Default for ConfigEncryptor

fn default() -> ConfigEncryptor

Returns the “default value” for a type.