Struct VaultStore 

pub struct VaultStore { /* private fields */ }

The main vault handle. Create one with VaultStore::create or VaultStore::open, then use its methods to manage secrets.

Implementations

impl VaultStore

pub fn create( path: &Path, password: &[u8], environment: &str, argon2_params: Option<&Argon2Params>, keyfile_bytes: Option<&[u8]>, ) -> Result<Self>

Create a brand-new vault file at path.

Generates a random salt, derives the master key from the password, and writes an empty vault to disk.

Pass None for argon2_params to use sensible defaults. Pass Some(settings.argon2_params()) to use config values.

Pass Some(bytes) for keyfile_bytes to enable keyfile-based 2FA. The keyfile hash is stored in the vault header so open can verify the correct keyfile is used.

pub fn open( path: &Path, password: &[u8], keyfile_bytes: Option<&[u8]>, ) -> Result<Self>

Open an existing vault file, verifying its integrity.

Reads the binary file, derives the master key from the password + stored salt (using stored Argon2 params), and verifies the HMAC over the original bytes from disk.

If the vault was created with a keyfile, keyfile_bytes must be provided. If the vault has no keyfile requirement, the parameter is ignored.

pub fn from_parts( path: PathBuf, header: VaultHeader, master_key: MasterKey, ) -> Self

Build a VaultStore from pre-constructed parts.

Used by rotate-key to create a new store with a new master key without writing to disk first.

pub fn set_secret(&mut self, name: &str, plaintext_value: &str) -> Result<()>

Add or update a secret.

The plaintext value is encrypted with a per-secret key derived from the master key + secret name. The per-secret key is zeroized immediately after use.

pub fn get_secret(&self, name: &str) -> Result<String>

Decrypt and return the plaintext value of a secret.

The per-secret key is zeroized after decryption.

pub fn delete_secret(&mut self, name: &str) -> Result<()>

Remove a secret from the vault.

pub fn list_secrets(&self) -> Vec<SecretMetadata>

List metadata for all secrets, sorted by name.

pub fn get_all_secrets(&self) -> Result<HashMap<String, String>>

Decrypt all secrets and return them as a name -> plaintext map.

Used by the run command to inject secrets into a child process.

pub fn save(&mut self) -> Result<()>

Serialize the vault and write it to disk atomically.

Computes a fresh HMAC over the header + secrets JSON and writes the full binary envelope via temp-file + rename.

pub fn path(&self) -> &Path

Returns the path to the vault file.

pub fn environment(&self) -> &str

Returns the environment name (e.g. “dev”).

pub fn secret_count(&self) -> usize

Returns the number of secrets in the vault.

pub fn created_at(&self) -> DateTime<Utc>

Returns the vault creation timestamp.

pub fn contains_key(&self, name: &str) -> bool

Returns true if the vault contains a secret with the given name.

This is a metadata-only check — no decryption is performed.

pub fn header(&self) -> &VaultHeader

Returns a reference to the vault header.

Useful for inspecting stored Argon2 params, keyfile hash, etc.