Expand description
Passphrase-derived key wrapping for Megolm session keys.
Argon2id derives a 32-byte key from a user passphrase + per-room salt. ChaCha20-Poly1305 then wraps the Megolm session key for transmission. Anyone in possession of the passphrase + salt can unwrap and join the room.
huddle 0.7.11: derived keys are returned in a Zeroizing<[u8;32]>
wrapper that overwrites the byte slice when the value is dropped.
That doesn’t fix every secret-in-memory exposure (the bytes can
still be copied), but it prevents the local owner from leaking
into swap or a stale heap page after the key is no longer in use.
Constants§
Functions§
- argon2id_
params - huddle 2.1.3: the single source of truth for huddle’s Argon2id cost
parameters — the strong RFC 9106 / OWASP profile (64 MiB memory, 3 iterations,
4 lanes). BOTH the room-passphrase KDF (
derive_key_zeroizing) and the master-key KDF (storage::keychain::derive_master_key) build theirParamshere, so the two can never silently drift — a desync (e.g. a future memory-cost bump applied to only one) would brick at-rest decryption + room-key unwrap.out_lenis the desired derived-key length in bytes. - derive_
key - Derive a 32-byte symmetric key from a passphrase and salt using
Argon2id. Parameters follow the strong RFC 9106 / OWASP profile
(64 MiB memory, 3 iterations, 4 lanes) and must stay in sync with the
master-key KDF in
storage::keychain::derive_master_key. - derive_
key_ zeroizing - huddle 0.7.11: same as
derive_keybut returns the key in a zeroize-on-drop wrapper. Callers that want defense-in-depth against heap-residency leaks should prefer this overderive_key. - random_
salt - Generate a random salt for a new encrypted room.
- unwrap
- Unwrap base64-encoded (nonce || ciphertext) under the passphrase key.
- wrap
- Wrap arbitrary plaintext (typically a Megolm SessionKey) under the passphrase key. Returns nonce || ciphertext, base64-encoded for transmission.