Expand description
Layer 5 — Codex transformation.
A Codex applies a byte-wise transformation to every byte (real key
material and decoy) before it is stored in fragments. The transformation
is an involution: applying it twice returns the original byte. Encoding and
decoding therefore call the same operation.
§When to use
The codex layer is off by default (IdentityCodex). It is feature-gated
behind the codex Cargo feature and adds approximately 5–10 ns per byte to
the access path. Enabling it raises the work required for an attacker who
has already defeated layers 2–4 (mlock, fragmentation, decoy): the bytes
they recover are not the bytes the application uses.
§Involution requirement
All implementations must satisfy decode(encode(x)) == x for every byte.
This is verified by tests for the built-in codices and, beginning in Phase
0.6, by proptest sweeps over the full byte range.
Structs§
- Dynamic
Codex - Per-vault randomized involution codex.
- FnCodex
- Wrap a user-provided closure as a
Codex. - Identity
Codex - Codex that leaves every byte unchanged.
- Static
Codex - Involution-based byte-swap codex backed by a 256-byte lookup table.
Traits§
- Codex
- Byte-wise transformation applied to all stored bytes.