Skip to main content

Crate dig_keystore

Crate dig_keystore 

Source
Expand description

§dig-keystore

Encrypted secret-key storage for DIG Network binaries.

Provides a typed Keystore<K: KeyScheme> over an encrypted on-disk blob. The storage layer is abstracted behind a KeychainBackend trait; FileBackend ships for filesystem persistence, MemoryBackend ships under the testing feature for dependent crates’ tests. Hardware-signer backends (Ledger / YubiHSM) plug into the same trait in future releases.

§File format

DIGVK1 (BLS signing) and DIGLW1 (L1 wallet BLS). See docs/resources/SPEC.md for the byte-level layout. Encryption is AES-256-GCM; key derivation is Argon2id (default 64 MiB / 3 iterations / 4 lanes).

§Security properties

  • AES-256-GCM authenticated encryption (tag integrity)
  • Argon2id memory-hard KDF
  • Zeroizing<...> wrappers on passwords, seeds, and derived keys
  • Outer CRC32 for fast fail on bit-rot
  • Atomic file writes (tmp + rename)

§Minimal example

use std::sync::Arc;
use dig_keystore::{
    Keystore, Password, KdfParams,
    scheme::BlsSigning,
    backend::{FileBackend, BackendKey, KeychainBackend},
};

let backend: Arc<dyn KeychainBackend> = Arc::new(FileBackend::new("/var/dig/keys"));
let key = BackendKey::new("validator_bls");
let password = Password::from("correct horse battery staple");

// Create
let ks = Keystore::<BlsSigning>::create(
    backend.clone(),
    key.clone(),
    password.clone(),
    None,                          // generate a fresh seed
    KdfParams::default(),
)?;

// Unlock + sign
let signer = ks.unlock(password)?;
let sig = signer.sign(b"message");
let pk = signer.public_key();

Re-exports§

pub use backend::FileBackend;
pub use backend::MemoryBackend;
pub use backend::BackendKey;
pub use backend::KeychainBackend;
pub use scheme::BlsSigning;
pub use scheme::KeyScheme;
pub use scheme::L1WalletBls;

Modules§

backend
Storage backend abstraction.
bls
Convenience re-exports of the chia-bls types used by the BLS schemes.
opaque
Opaque secret sealing — password-encrypts arbitrary-length secret bytes.
scheme
Key schemes: the typed layer that defines how raw secret bytes become usable keys, public keys, and signatures.

Structs§

KdfParams
Parameters for the key derivation function.
Keystore
A typed, encrypted keystore.
KeystoreHeader
Parsed file header.
Password
A password used to unlock a crate::Keystore.
SignerHandle
The unlocked handle. Drop wipes the secret.

Enums§

CipherId
Identifies the symmetric cipher used.
KdfId
Identifies the key derivation function used.
KeystoreError
Errors produced by keystore operations.

Constants§

FORMAT_VERSION_V1
File format version supported by this library.

Type Aliases§

Result
Result alias used throughout the crate.