Expand description
§key-vault
ENTERPRISE-GRADE KEY MANAGEMENT VAULT
9-layer defense-in-depth in-memory key storage. Fragmented across non-contiguous mlock’d allocations, interleaved with self-referential decoy bytes, optionally transformed through a codex layer, with constant-time operations, zero-on-drop, security monitoring, and audit logging.
§The 9 Layers (plus bonus Layer 10)
- Secure Acquisition (
KeyFetchtrait — TPM/HSM/Keychain/File/Env) - Memory Page Locking (
mlock/VirtualLock— prevents swap) - Fragment Strategy (
FragmentStrategy— variable chunks, shuffled, non-contiguous) - Decoy Bytes (
DecoyStrategy— self-referential filler, statistically indistinguishable) - Codex Transformation (
Codex— byte swap via involution) - Constant-Time Operations (
subtle::ConstantTimeEq) - Zero-On-Drop (
zeroizecrate) - Security Monitor (
SecurityMonitor— failed decrypt detection, threshold lockout) - Audit Logging (every key access tracked)
- (Bonus) Page Protection Toggling (PROT_NONE when not in use)
See docs/SECURITY.md for the full architecture and docs/TRANSFORMATION.md
for a visual walkthrough.
§Status
Phase 0.2.0 — foundation types defined. KeyHandle, KeyVault,
KeyVaultBuilder, the five core traits, IdentityCodex, and
tee::detect_tee_capabilities are in place. Real fragmentation, mlock,
decoy, and zeroize land in Phases 0.3 and 0.4. See .dev/ROADMAP.md for
the full milestone plan.
§License
Dual-licensed under Apache-2.0 OR MIT.
Re-exports§
pub use crate::audit::LogAudit;monitor-tracingpub use crate::audit::AccessKind;pub use crate::audit::AuditEvent;pub use crate::audit::AuditSink;pub use crate::audit::NoAudit;pub use crate::codex::Codex;pub use crate::codex::DynamicCodex;pub use crate::codex::IdentityCodex;pub use crate::codex::StaticCodex;pub use crate::decoy::DecoyStrategy;pub use crate::decoy::KeyDerivedDecoy;pub use crate::decoy::RandomDecoy;pub use crate::decoy::SelfReferenceDecoy;pub use crate::fetcher::EnvFetch;fetcher-envpub use crate::fetcher::FileFetch;fetcher-filepub use crate::fetcher::KeychainFetch;fetcher-keychainpub use crate::fetcher::TpmFetch;fetcher-tpmpub use crate::fetcher::FetchContext;pub use crate::fetcher::KeyFetch;pub use crate::fetcher::RawKey;pub use crate::fragment::FragmentStrategy;pub use crate::fragment::Fragments;pub use crate::fragment::InterleavedFragmenter;pub use crate::fragment::LayeredFragmenter;pub use crate::fragment::RandomFragmenter;pub use crate::fragment::StandardFragmenter;pub use crate::monitor::LogMonitor;monitor-tracingpub use crate::monitor::AccessContext;pub use crate::monitor::CompositeMonitor;pub use crate::monitor::FailureContext;pub use crate::monitor::NoMonitor;pub use crate::monitor::SecurityMonitor;pub use crate::monitor::ThresholdContext;
Modules§
- audit
- Layer 9 — Audit logging.
- codex
- Layer 5 — Codex transformation.
- decoy
- Layer 4 — Decoy bytes.
- fetcher
- Layer 1 — Secure Acquisition.
- fragment
- Layer 3 — Fragmentation.
- monitor
- Layer 8 — Security monitor.
- tee
- Trusted Execution Environment detection.
Structs§
- KeyHandle
- Opaque, redacted reference to a key stored inside a
KeyVault. - KeyId
- Process-wide handle identifier.
- KeyMetadata
- Public, non-secret information about a registered key.
- KeyVault
- In-memory key vault.
- KeyVault
Builder - Fluent builder for
KeyVault. - Vault
Config - Vault configuration.
Enums§
- Algorithm
Hint - Hint about which cryptographic algorithm a stored key is intended for.
- Error
- A redaction-safe error type covering every failure mode the vault can surface.
Constants§
- VERSION
- Crate version string, populated by Cargo at build time.
Type Aliases§
- Result
- Convenient shorthand for results returned by the vault and its trait implementations.