Module iota_client::stronghold

source ·
Available on crate feature stronghold only.
Expand description

Stronghold integration for iota.rs.

Stronghold can be used as a multi-purpose secret service providing:

  • Smart-card-like secret vault
  • Generic key-value, encrypted database

StrongholdAdapter respectively implements StorageProvider and SecretManage for the above purposes using Stronghold. Type aliases StrongholdStorageProvider and StrongholdSecretManager are also provided if one wants to have a more consistent naming when using any of the feature sets.

Use builder() to construct a StrongholdAdapter with customized parameters; see documentation of methods of StrongholdAdapterBuilder for details. All fields are optional, but:

  • Without a password, all cryptographic operations (including database operations, as they encrypt / decrypt data) would fail.
  • Without a password clearing timeout, the derived key would be stored in the memory for as long as possible, and could be used as an attack vector.
  • Without a snapshot path configured, all operations would be transient (i.e. all data would be lost when StrongholdAdapter is dropped, or the cached key has been cleared).

They can also be set later on StrongholdAdapter using set_password(), set_timeout(), etc.

With set_timeout(), an automatic task can be spawned in the background to purge the key from memory using zeroize after the timeout duration. It’s used to reduce the attack vector. When the key is cleared from the memory, Stronghold will be unloaded from the memory too. If no snapshot_path has been set at this point, then secrets stored in Stronghold will be dropped and lost.

Nevertheless, Stronghold is memory-based, so it’s not required to use a snapshot file on the disk. Without a snapshot path set, StrongholdAdapter will run purely in memory. If a snapshot path is set, then StrongholdAdapter would lazily load the file on the first call that performs some actions on Stronghold. Subsequent actions are still performed in memory. If the snapshot file doesn’t exist, these function calls will all fail. To proactively load or store the Stronghold state from or to a Stronghold snapshot on disk, use read_stronghold_snapshot() or write_stronghold_snapshot(). The latter can be used to create a snapshot file after creating a StrongholdAdapter with a non-existent snapshot path.

Structs

Enums