enigma-storage

Encrypted local storage with mandatory at-rest protection and pluggable key providers. The crate never prompts for passwords and never writes plaintext keys to disk. Applications decide how to collect secrets and choose an appropriate provider for each platform.

Features

• XChaCha20-Poly1305 encryption for every stored value with AAD binding to namespace and key.
• Pluggable master-key providers: file-sealed fallback, password wrapping, foreign/app-provided, and OS vaults (DPAPI, macOS Keychain, Linux Secret Service).
• Sled-backed embedded store for persistence.
• Async-friendly API surface built on Tokio.

Quick start

use enigma_storage::storage::EncryptedStore;
use enigma_storage::key_provider::{ForeignKeyProvider, MasterKey};
use rand::RngCore;

#[tokio::main]
async fn main() -> Result<(), enigma_storage::error::EnigmaStorageError> {
    let mut key_bytes = [0u8; 32];
    rand::thread_rng().fill_bytes(&mut key_bytes);
    let provider = ForeignKeyProvider::new(key_bytes);

    let store = EncryptedStore::open("data", "demo", &provider)?;
    store.put("hello", b"world")?;
    let value = store.get("hello")?;
    assert_eq!(value, Some(b"world".to_vec()));
    Ok(())
}

Enable platform providers with features like provider-windows-dpapi, provider-macos-keychain, or provider-linux-secret-service. Password-based wrapping uses provider-password. File sealing is on by default via provider-file-sealed.

Key providers

• FileSealedKeyProvider: sealed blob and salt on disk, no plaintext key persisted.
• PasswordKeyProvider: wraps the key with Argon2id-derived key from application-supplied password bytes.
• ForeignKeyProvider: application supplies the key (Android Keystore, iOS Keychain, HSMs).
• WindowsDpapiKeyProvider / MacosKeychainKeyProvider / LinuxSecretServiceKeyProvider: platform vault storage behind optional features.

Security notes

• Encryption at rest is always enforced.
• No UI is provided; applications must gather passwords or keys.
• Prefer OS vault providers on user-facing systems. Use ForeignKeyProvider on mobile or external KMS setups.
• On headless Linux without Secret Service, use FileSealedKeyProvider or ForeignKeyProvider.

Testing

Default tests run on Linux without platform daemons. Platform-specific tests are feature- and cfg-gated and can be enabled with RUN_PLATFORM_TESTS=1 on their target OS.