dotling 0.9.0

A dotfiles management CLI — track, link, and sync your config files across machines
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

# crypto

ChaCha20-Poly1305 encryption with Argon2id key derivation, and vault management.

## `crypto`

### `encrypt_with_key()`

```rust
pub fn encrypt_with_key(data: &[u8], key: &[u8; 32]) -> Result<Vec<u8>>
```

Encrypts data using ChaCha20-Poly1305 with the given 32-byte key. Generates a random 12-byte nonce. Returns the encrypted data in the `DOTLING-ENC-V2` format:

```
DOTLING-ENC-V2
<12-byte nonce as hex>
<base64-encoded ciphertext + 16-byte auth tag>
```

### `decrypt_with_key()`

```rust
pub fn decrypt_with_key(data: &[u8], key: &[u8; 32]) -> Result<Vec<u8>>
```

Decrypts data in the `DOTLING-ENC-V2` format using the given 32-byte key. Returns the plaintext. Fails if the authentication tag is invalid (data tampered or wrong key).

### `is_encrypted_content()`

```rust
pub fn is_encrypted_content(data: &[u8]) -> bool
```

Returns `true` if the data starts with the `DOTLING-ENC-V2` header.

---

## `crypto::vault`

### `vault_dir()`

```rust
pub fn vault_dir() -> Result<PathBuf>
```

Returns the path to `~/.dotling/vault/`. Creates it if it doesn't exist.

### `vault_exists()`

```rust
pub fn vault_exists() -> bool
```

Returns `true` if a vault has been initialized (both `identity.enc` and `config.toml` exist).

### `init_vault()`

```rust
pub fn init_vault(password: &str) -> Result<()>
```

Initializes a new vault. Generates a random 32-byte identity secret, derives a key from the password using Argon2id, and encrypts the identity with ChaCha20-Poly1305. Writes `identity.enc` and `config.toml` to the vault directory.

### `unlock_vault()`

```rust
pub fn unlock_vault(password: &str) -> Result<[u8; 32]>
```

Unlocks the vault by decrypting the identity secret. Returns the 32-byte master key used for file encryption. Fails if the password is incorrect (authentication tag mismatch).

### `export_vault()`

```rust
pub fn export_vault(path: &Path, password: &str) -> Result<()>
```

Exports the vault as a single encrypted bundle file. The bundle format:

```
DOTLVAUL           (8-byte magic)
0x01               (1 byte: version)
<32-byte salt>     (Argon2id salt)
<12-byte nonce>    (ChaCha20-Poly1305 nonce)
<ciphertext + tag> (encrypted payload)
```

The encrypted payload contains the vault config and identity secret.

### `import_vault()`

```rust
pub fn import_vault(path: &Path, password: &str) -> Result<()>
```

Imports a vault from an encrypted bundle. Decrypts the bundle using the password, extracts the config and identity, and writes them to the vault directory.

### `change_password()`

```rust
pub fn change_password(old_password: &str, new_password: &str) -> Result<()>
```

Changes the vault password. Decrypts the identity with the old password and re-encrypts with the new password.