Module encryption

Expand description

Client-side AES-256-GCM encryption with HKDF key derivation. Zero-knowledge encryption layer using AES-256-GCM with AAD v0x03 format.

Wraps cachekit_core::ZeroKnowledgeEncryptor with tenant key derivation and cache-key-bound Additional Authenticated Data (AAD). The AAD binding prevents ciphertext substitution attacks within the same tenant (CVSS 8.5).

§AAD v0x03 Format

[version(0x03)][len(4)][tenant_id][len(4)][cache_key][len(4)][format][len(4)][compressed]

Each component is length-prefixed with a 4-byte big-endian u32 to prevent collision attacks from boundary confusion.

Structs§

EncryptionLayer: Zero-knowledge encryption layer with per-tenant key derivation.

Module encryption

Module encryption Copy item path

§AAD v0x03 Format

Structs§

Module encryption