Module keystore 

Secure key storage with encryption at rest.

This module provides a secure keystore/vault for storing cryptographic keys with encryption at rest. Keys are encrypted using a master key derived from a password, ensuring that stored keys are protected even if the storage backend is compromised.

Features

• Master key derivation from password using Argon2
• Individual key encryption with ChaCha20-Poly1305
• Unique nonces per key for security
• HMAC-based integrity verification
• Key metadata tracking (creation time, last accessed, key type)
• Multiple storage backends (filesystem, in-memory)
• Automatic key versioning and rotation support
• Secure deletion with zeroization

Example

use chie_crypto::keystore::{SecureKeyStore, KeyType, KeyMetadata};

// Create a new keystore with a password
let mut keystore = SecureKeyStore::new(b"strong-password")?;

// Store a signing key
let key_id = "my-signing-key";
let key_data = b"secret-key-data-here";
keystore.store_key(key_id, key_data, KeyType::Signing)?;

// Retrieve the key
let retrieved = keystore.retrieve_key(key_id)?;
assert_eq!(retrieved, key_data);

// Check key metadata
let metadata = keystore.get_metadata(key_id)?;
assert_eq!(metadata.key_type, KeyType::Signing);

// Delete the key securely
keystore.delete_key(key_id)?;

Structs

KeyMetadata

Metadata about a stored key.

SecureKeyStore

Secure keystore for encrypted key storage.

Enums

KeyStoreError

Errors that can occur during keystore operations.

KeyType

Type of cryptographic key.

Type Aliases

KeyStoreResult

Result type for keystore operations.