envseal 0.3.12

Write-only secret vault with process-level access control — post-agent secret management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

//! Vault — encrypted secret storage and master-key lifecycle.
//!
//! # Submodules
//!
//! - [`keychain`] — Passphrase-protected master key (Argon2id KDF, AES-GCM
//!   wrapping, `memfd_secret`/`mlock` protection).
//! - [`hardware`] — Device-bound key sealing (DPAPI / Secure Enclave /
//!   TPM 2.0). Wraps the passphrase-encrypted master key so a copy of
//!   `master.key` cannot be decrypted on another device, even with
//!   the correct passphrase.
//! - [`store`] — The on-disk encrypted vault: `Vault::open_default`,
//!   per-secret AES-256-GCM files, list/store/decrypt/revoke.
//! - [`health`] — Secret-health analysis (entropy, age, type detection).
//!
//! [`Vault`] is re-exported at the module root for ergonomic access.

pub mod hardware;
pub mod health;
pub mod keychain;
pub mod sealed_blob;
pub mod store;

#[cfg(feature = "fido2")]
pub mod fido2;

#[cfg(feature = "fido2-hardware")]
pub mod fido2_hardware;

pub use store::Vault;