Expand description
Keyfile-based authentication for EnvVault.
A keyfile is a 32-byte random file that acts as a second factor. When a vault is created with a keyfile, both the password and the keyfile are required to derive the master key.
The combination is: HMAC-SHA256(keyfile_bytes, password_bytes).
This combined value is then fed into Argon2id as the “password”.
Functions§
- combine_
password_ keyfile - Combine a password and keyfile into a single effective password.
- generate_
keyfile - Generate a new random keyfile and write it to
path. - hash_
keyfile - Compute the SHA-256 hash of a keyfile for storage in the vault header.
- load_
keyfile - Load a keyfile from disk and validate its length.
- verify_
keyfile_ hash - Verify that a keyfile matches the expected hash stored in the header.