rust-keyvault 0.1.0

A secure, modern cryptographic key management library for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

# rust-keyvault

[![Crates.io](https://img.shields.io/crates/v/rust-keyvault.svg)](https://crates.io/crates/rust-keyvault)
[![Documentation](https://docs.rs/rust-keyvault/badge.svg)](https://docs.rs/rust-keyvault)
[![License](https://img.shields.io/badge/license-MIT%2FApache--2.0-blue.svg)](https://github.com/yourusername/rust-keyvault#license)

A secure, modern cryptographic key management library for Rust.

## `rust-keyvault` features

- **AEAD Encryption**: ChaCha20-Poly1305 and AES-256-GCM
- **Key Rotation**: Automatic versioning and lifecycle management
- **Encrypted Storage**: File-based persistence with Argon2 key derivation
- **Thread-Safe**: Multi-threaded storage backends
- **Memory Protection**: Automatic zeroization of sensitive data
- **Zero Unsafe**: `#![forbid(unsafe_code)]` - completely memory safe

## Quick Start

Add to your `Cargo.toml`;

```toml
[dependencies]
rust-keyvault = "0.1"
```

### Basic Usage

```rust
use rust_keyvault::*;
use rust_keyvault::storage::*;
use std::time::SystemTime;

// Create an encrypted file store
let config = StorageConfig { encrypted: true, ..Default::default() };
let mut store = FileStore::new("./keys", config)?;
store.init_with_password(b"your-secure-password")?;

// Generate a new key
let base_id = KeyId::generate_base()?;
let secret_key = SecretKey::generate(Algorithm::ChaCha20Poly1305)?;

let metadata = KeyMetadata {
    id: base_id.clone(),
    base_id: base_id.clone(),
    algorithm: Algorithm::ChaCha20Poly1305,
    created_at: SystemTime::now(),
    expires_at: None,
    state: KeyState::Active,
    version: 1,
};

let versioned_key = VersionedKey { key: secret_key, metadata };

// Store the key
store.store(versioned_key)?;

// Retrieve and use
let retrieved = store.retrieve(&base_id)?;
println!("Key algorithm: {:?}", retrieved.key.algorithm());
```

### Key Rotation

```rust
// Rotate to a new version
let rotated_key = store.rotate_key(&base_id)?;
println!("New version: {}", rotated_key.metadata.version); // 2

// Get all versions
let versions = store.get_key_versions(&base_id)?;
println!("Total versions: {}", versions.len()); // 2

// Get latest active key
let latest = store.get_latest_key(&base_id)?;
```

## Architecture

```
┌─────────────────┐
│  Applications   │
└─────────────────┘
┌─────────────────┐    ┌──────────────────┐
│   KeyStore      │    │  EncryptedStore  │
│   Traits        │    │  Traits          │
└─────────────────┘    └──────────────────┘
         │                       │
┌─────────────────┐    ┌──────────────────┐
│   MemoryStore   │    │    FileStore     │
│   (Testing)     │    │  (Production)    │
└─────────────────┘    └──────────────────┘
         │                       │
┌─────────────────┐    ┌──────────────────┐
│  AEAD Crypto    │    │  Argon2 KDF      │
│  ChaCha20/AES   │    │  Key Derivation  │
└─────────────────┘    └──────────────────┘
```

## Security Features

- **Modern Cryptography**: ChaCha20-Poly1305 and AES-256-GCM AEAD
- **Memory Safety**: Automatic zeroization with `zeroize` crate
- **Key Derivation**: Argon2id password-based key derivation
- **Authenticated Encryption**: Built-in integrity protection
- **Secure Random**: ChaCha20-based CSPRNG

## Documentation

- [API Documentation](https://docs.rs/rust-keyvault)
- [Usage Examples](examples/)

## License

Licensed under either of:

- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE))
- MIT License ([LICENSE-MIT](LICENSE-MIT))

at your option.