rust-keyvault 0.1.0

A secure, modern cryptographic key management library for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.1.0] - 2024-12-XX

### Added

#### Core Features
- **KeyStore trait** - Abstract interface for key storage backends
- **MemoryStore** - Thread-safe in-memory key storage for testing
- **FileStore** - Encrypted file-based persistent storage
- **Key lifecycle management** - Active, Deprecated, Revoked, Rotating states

#### Cryptographic Features  
- **AEAD encryption** - ChaCha20-Poly1305 and AES-256-GCM support
- **Key generation** - Cryptographically secure random key generation
- **Argon2 key derivation** - Password-based master key derivation
- **Memory protection** - Automatic zeroization of sensitive data

#### Key Management
- **Key rotation** - Automatic versioning with backward compatibility
- **Metadata tracking** - Creation time, expiration, algorithm binding
- **Base ID system** - Track key families across rotations
- **Version cleanup** - Policy-based old version removal

#### Storage Features
- **Encryption at rest** - Master key encryption for file storage
- **Serialization** - JSON-based key persistence with encryption
- **Thread safety** - `Send + Sync` support for concurrent access
- **Error handling** - Comprehensive typed error system

#### Security Features
- **Memory safety** - `#![forbid(unsafe_code)]` - zero unsafe code
- **Constant-time operations** - Side-channel resistant comparisons
- **Secure random** - ChaCha20-based CSPRNG
- **Algorithm binding** - Keys tied to specific algorithms

### Security Considerations

- Uses industry-standard cryptographic primitives
- Implements proper key lifecycle management
- Provides secure defaults for all operations
- Automatic memory zeroization prevents key material leaks
- Argon2id protects against password-based attacks

### Dependencies

- `aead` - AEAD encryption trait definitions
- `chacha20poly1305` - ChaCha20-Poly1305 AEAD implementation  
- `aes-gcm` - AES-256-GCM AEAD implementation
- `argon2` - Argon2 password hashing
- `zeroize` - Secure memory clearing
- `serde` - Serialization framework
- `thiserror` - Error handling

### Breaking Changes

None - this is the initial release.

### Documentation

- Complete API documentation with examples
- Usage guide with practical examples
- Security considerations and best practices

### Testing

- Comprehensive unit tests for all components
- Integration tests for storage backends
- Security tests for encryption and key rotation
- Cross-platform compatibility testing

---

## [Unreleased]

### Planned Features
- HSM integration (PKCS#11)
- Cloud KMS support (AWS, Azure, GCP)
- Key derivation functions (HKDF)
- Audit logging
- Distributed key management
- Performance optimizations