Expand description
Passphrase-derived key wrapping for Megolm session keys.
Argon2id derives a 32-byte key from a user passphrase + per-room salt. ChaCha20-Poly1305 then wraps the Megolm session key for transmission. Anyone in possession of the passphrase + salt can unwrap and join the room.
huddle 0.7.11: derived keys are returned in a Zeroizing<[u8;32]>
wrapper that overwrites the byte slice when the value is dropped.
That doesn’t fix every secret-in-memory exposure (the bytes can
still be copied), but it prevents the local owner from leaking
into swap or a stale heap page after the key is no longer in use.
Constants§
Functions§
- derive_
key - Derive a 32-byte symmetric key from a passphrase and salt using
Argon2id. Parameters follow the strong RFC 9106 / OWASP profile
(64 MiB memory, 3 iterations, 4 lanes) and must stay in sync with the
master-key KDF in
storage::keychain::derive_master_key. - derive_
key_ zeroizing - huddle 0.7.11: same as
derive_keybut returns the key in a zeroize-on-drop wrapper. Callers that want defense-in-depth against heap-residency leaks should prefer this overderive_key. - random_
salt - Generate a random salt for a new encrypted room.
- unwrap
- Unwrap base64-encoded (nonce || ciphertext) under the passphrase key.
- wrap
- Wrap arbitrary plaintext (typically a Megolm SessionKey) under the passphrase key. Returns nonce || ciphertext, base64-encoded for transmission.