zvault-core
Core library for ZVault — the AI-native secrets manager.
This crate contains the encryption barrier, seal/unseal lifecycle, token authentication, policy engine, audit logging, and secrets engines (KV, Transit, PKI, Database).
Key Components
- Barrier — AES-256-GCM encrypt-on-write, decrypt-on-read. Storage never sees plaintext.
- Seal — Shamir's Secret Sharing for root key protection.
- Tokens — SHA-256 hashed, constant-time verified (
subtle::ConstantTimeEq). - Policies — Path-based ACLs with capabilities (create, read, update, delete, list).
- Audit — HMAC'd entries, fail-closed semantics.
- Engines — KV secrets, Transit encryption, PKI certificates, Database credentials.
Security
- AES-256-GCM with fresh nonce per operation
- Key material zeroized on drop (
Zeroize+ZeroizeOnDrop) - Pure Rust crypto (RustCrypto ecosystem, no OpenSSL)
#![deny(unsafe_code)]
Part of ZVault
CLI / MCP Server / Web UI
│
┌────▼────┐
│ Core │ ← this crate
└────┬────┘
┌────▼────┐
│ Storage │ ← zvault-storage
└─────────┘
Install the full CLI: cargo install zvault-cli