Skip to main content

Crate hana_vault

Crate hana_vault 

Source
Expand description

§Hana Vault - Encrypted SQLite Credential Manager

A secure, encrypted vault for storing SSH credentials, hosts, and sensitive data using SQLite with AES-256-GCM encryption.

§Features

  • Encrypted SQLite Storage: All data is stored in an encrypted in-memory SQLite database
  • Binary Encryption: Vaults can be exported as encrypted bytes
  • Autonomous Migrations: Schema versioning with automatic migration system
  • Multiple Credential Types: Support for username/password, RSA, OpenSSH, Ed25519, ECDSA, and certificate-based auth
  • Host Management: Store hosts with startup commands, environment variables, and custom encodings
  • Industry-Standard Crypto: AES-256-GCM symmetric encryption
  • Key-Based API: Supply your own encryption key (derive from password using Argon2id in your application)
  • Zero Knowledge: Raw SQLite database is never exposed, only encrypted formats

§Usage

use hana_vault::{Vault, Host, Credential, SecretKey};

// Generate or derive a 256-bit key (in production, derive from password using Argon2id)
let key = SecretKey::random();

// Create a new vault with the key
let vault = Vault::new(key.clone())?;

// Add a host
let mut host = Host::new("Production Server".to_string(), "prod.example.com".to_string(), 22);
host.add_env_var("PATH".to_string(), "/usr/local/bin:/usr/bin".to_string());
host = host.with_startup_command("source ~/.profile".to_string());
vault.add_host(&host)?;

// Add credentials
let cred = Credential::new_username_password(
    "Admin Credentials".to_string(),
    "admin".to_string(),
    "super_secret".to_string(),
);
vault.add_credential(&cred)?;

// Link credential to host
vault.link_credential_to_host(host.id, cred.id, true)?;

// Save to encrypted file (manual implementation)
let encrypted_bytes = vault.export_to_bytes()?;
let mut file = File::create(&path)?;
file.write_all(&encrypted_bytes)?;

// Load from file (manual implementation)
let mut file = File::open(&path)?;
let mut encrypted_data = Vec::new();
file.read_to_end(&mut encrypted_data)?;
let loaded = Vault::load_from_bytes(&encrypted_data, key)?;

§Security Features

  • Encrypted Storage: SQLite database encrypted at rest with AES-256-GCM
  • Key-Based API: You control key derivation (recommended: Argon2id with 600,000+ iterations)
  • Memory-Only SQLite: Database only exists in memory, never on disk
  • Binary Encryption: All exports use authenticated encryption (AES-256-GCM)
  • Memory Safety: Sensitive data automatically zeroized on drop
  • Checksum Verification: SHA-256 checksums prevent data corruption
  • No Plaintext Storage: Raw SQLite database never written to disk

Re-exports§

pub use crypto::SecretKey;
pub use error::Result;
pub use error::VaultError;
pub use models::Credential;
pub use models::CredentialType;
pub use models::Host;
pub use models::SecureString;
pub use vault::Vault;
pub use crypto::NONCE_SIZE;
pub use crypto::TAG_SIZE;
pub use crypto::KEY_SIZE;
pub use crypto::VAULT_FORMAT_VERSION;
pub use crypto::VAULT_MAGIC;
pub use schema::CURRENT_VERSION as SCHEMA_VERSION;

Modules§

binary
crypto
error
models
schema
vault

Constants§

VERSION
Library version