Module key_management 

Key management operations for encrypted pages archives.

Provides CLI operations to manage key slots in an encrypted archive:

• list: Show all key slots
• add: Add a new password or recovery key slot
• revoke: Remove a key slot
• rotate: Full key rotation (regenerate DEK, re-encrypt payload)

Security Model

The archive uses envelope encryption with multiple key slots (like LUKS):

• A random Data Encryption Key (DEK) encrypts the payload
• Each key slot wraps the DEK with a Key Encryption Key (KEK)
• KEK is derived from password (Argon2id) or recovery secret (HKDF-SHA256)
• Add/revoke only modifies config.json; payload unchanged
• Rotate re-encrypts entire payload with new DEK

Structs

KeyListResult

Result of listing key slots

KeySlotInfo

Information about a single key slot

RevokeResult

Result of revoking a key slot

RotateResult

Result of key rotation

Enums

AddKeyResult

Result of adding a key slot

Functions

key_add_password

Add a new password-based key slot

key_add_recovery

Add a new recovery secret key slot

key_list

List all key slots in an archive

key_revoke

Revoke a key slot

key_rotate

Full key rotation - regenerate DEK and re-encrypt payload