Module keychain 

Master-key derivation for at-rest encryption.

On launch the user enters a master passphrase. We combine it with a per-installation salt (kept in the data dir, unencrypted — its only job is to make rainbow-table attacks unreasonable) and feed both into Argon2id to derive a 32-byte master key. That key is used for:

1. PRAGMA key on the SQLCipher connection
2. HKDF input for the Megolm session-persistence key (replaces the hardcoded all-zero key from Phase 1)

Constants

KEYCHAIN_SALT_LEN

MASTER_KEY_LEN

Functions

derive_master_key

Derive a 32-byte master key from passphrase + salt via Argon2id. Parameters follow the strong RFC 9106 / OWASP profile (64 MiB memory, 3 iterations, 4 lanes) and must stay in sync with the room-passphrase KDF in crypto::passphrase::derive_key.

derive_subkey

Return a 32-byte subkey for purpose (e.g. “megolm-persist”) derived from the master key via HKDF-SHA256. The master key is the input key material and purpose is the HKDF info parameter — proper domain separation, no ad-hoc separator ambiguity.

keychain_salt_path

Returns the path holding the keychain salt. The salt is not secret; only the passphrase is.

load_or_create_salt

Load the keychain salt, generating + persisting it on first launch.