iron_secrets
Encrypted secrets storage and access control for AI agents.
Installation
[]
= { = "../iron_secrets" }
Quick Start
use SecretsManager;
// Initialize with master key from environment
let manager = new?;
// Store encrypted secret
manager.create?;
// Retrieve decrypted secret for agent use
let api_key = manager.get?;
// Audit trail is automatically maintained
Responsibilities: Provides secure secrets management with AES-256-GCM encryption at rest, Argon2id key derivation, role-based access control, and comprehensive audit logging. Enables safe storage and runtime injection of sensitive credentials (API keys, database passwords, tokens).
In Scope:
- AES-256-GCM encryption for secrets at rest
- Argon2id key derivation from master key
- SQLite storage for encrypted blobs and metadata
- CRUD operations (create, read, update, delete, list)
- Role-based access control (Admin, Viewer, Agent)
- Audit logging for all secret operations
- Environment isolation (Development, Staging, Production)
- Secret masking for display (
sk-proj-abc...xyz) - Master key from environment variable
Out of Scope:
- AWS KMS integration (future)
- HashiCorp Vault integration (future)
- Secret versioning and history (future)
- Secret expiration and auto-rotation (future)
- Multi-tenancy isolation (future)
- External secret providers (GitHub Secrets, Azure Key Vault)
- REST API endpoints (see iron_control_api)
- Dashboard UI (see iron_dashboard)
Source Files
| File | Responsibility |
|---|---|
| lib.rs | Secure secrets management for AI agents |
| access_control.rs | Access control for secrets |
| audit.rs | Audit logging for secrets access |
| crypto.rs | Cryptographic operations for secret encryption/decryption |
| error.rs | Error types |
| secrets_manager.rs | Secrets manager service |
| storage.rs | Encrypted storage backend |
Notes:
- Entries marked 'TBD' require manual documentation
- Entries marked '⚠️ ANTI-PATTERN' should be renamed to specific responsibilities
License
Apache-2.0