Expand description
§dig-keystore
Encrypted secret-key storage for DIG Network binaries.
Provides a typed Keystore<K: KeyScheme> over an encrypted on-disk blob. The
storage layer is abstracted behind a KeychainBackend trait; FileBackend
ships for filesystem persistence, MemoryBackend ships under the testing
feature for dependent crates’ tests. Hardware-signer backends (Ledger /
YubiHSM) plug into the same trait in future releases.
§File format
DIGVK1 (BLS signing) and DIGLW1 (L1 wallet BLS). See
docs/resources/SPEC.md for the byte-level
layout. Encryption is AES-256-GCM; key derivation is Argon2id (default 64
MiB / 3 iterations / 4 lanes).
§Security properties
- AES-256-GCM authenticated encryption (tag integrity)
- Argon2id memory-hard KDF
Zeroizing<...>wrappers on passwords, seeds, and derived keys- Outer CRC32 for fast fail on bit-rot
- Atomic file writes (tmp + rename)
§Minimal example
use std::sync::Arc;
use dig_keystore::{
Keystore, Password, KdfParams,
scheme::BlsSigning,
backend::{FileBackend, BackendKey, KeychainBackend},
};
let backend: Arc<dyn KeychainBackend> = Arc::new(FileBackend::new("/var/dig/keys"));
let key = BackendKey::new("validator_bls");
let password = Password::from("correct horse battery staple");
// Create
let ks = Keystore::<BlsSigning>::create(
backend.clone(),
key.clone(),
password.clone(),
None, // generate a fresh seed
KdfParams::default(),
)?;
// Unlock + sign
let signer = ks.unlock(password)?;
let sig = signer.sign(b"message");
let pk = signer.public_key();Re-exports§
pub use backend::FileBackend;pub use backend::MemoryBackend;pub use backend::BackendKey;pub use backend::KeychainBackend;pub use scheme::BlsSigning;pub use scheme::KeyScheme;pub use scheme::L1WalletBls;
Modules§
- backend
- Storage backend abstraction.
- bls
- Convenience re-exports of the
chia-blstypes used by the BLS schemes. - scheme
- Key schemes: the typed layer that defines how raw secret bytes become usable keys, public keys, and signatures.
Structs§
- KdfParams
- Parameters for the key derivation function.
- Keystore
- A typed, encrypted keystore.
- Keystore
Header - Parsed file header.
- Password
- A password used to unlock a
crate::Keystore. - Signer
Handle - The unlocked handle. Drop wipes the secret.
Enums§
- Cipher
Id - Identifies the symmetric cipher used.
- KdfId
- Identifies the key derivation function used.
- Keystore
Error - Errors produced by keystore operations.
Constants§
- FORMAT_
VERSION_ V1 - File format version supported by this library.
Type Aliases§
- Result
- Result alias used throughout the crate.