Expand description
Binary vault file format and HMAC integrity verification.
A .vault file has this layout:
[EVLT: 4 bytes][version: 1 byte][header_len: 4 bytes LE][header JSON][secrets JSON][HMAC-SHA256: 32 bytes]- Magic (
EVLT): identifies the file as an EnvVault vault. - Version: format version (currently
1). - Header length: little-endian u32 telling us where the header JSON ends and the secrets JSON begins.
- Header JSON: serialized
VaultHeader. - Secrets JSON: serialized
Vec<Secret>. - HMAC-SHA256: 32-byte tag computed over header + secrets bytes.
Structs§
- RawVault
- Raw data read from a vault file on disk.
- Stored
Argon2 Params - Argon2 parameters stored in the vault header so the exact same KDF settings are used when re-opening. Backward-compatible: if missing, defaults are used (m=64MB, t=3, p=4).
- Vault
Header - Metadata stored at the beginning of a vault file.
Constants§
- CURRENT_
VERSION - Current binary format version.
Functions§
- compute_
hmac - Compute HMAC-SHA256 over header + secrets bytes.
- read_
vault - Read a vault file from disk and return its parts with raw bytes.
- verify_
hmac - Verify that the HMAC matches using constant-time comparison.
- write_
vault - Write a vault file to disk atomically.