Expand description
Engram credential management with encrypted storage and YubiKey support.
This crate provides:
- Structured secret types (Login, ApiKey, OAuthApp, SshKey, Note, Environment)
- AES-256-GCM encryption for secrets at rest
- YubiKey HMAC-SHA1 challenge-response for key derivation
- Agent keys with permission scoping and revocation
- Audit logging for all secret access
- Recovery key system for lost YubiKey scenarios
Re-exports§
pub use agent_keys::AgentKey;pub use agent_keys::AgentKeyPermissions;pub use crypto::decrypt;pub use crypto::decrypt_recovery;pub use crypto::decrypt_secret;pub use crypto::derive_key;pub use crypto::derive_key_from_passphrase;pub use crypto::derive_key_legacy;Deprecated pub use crypto::encrypt;pub use crypto::encrypt_recovery;pub use crypto::encrypt_secret;pub use crypto::generate_hmac_secret;pub use storage::delete_secret;pub use storage::get_secret;pub use storage::list_secrets;pub use storage::store_secret;pub use storage::update_secret;pub use storage::SecretRow;pub use types::SecretData;pub use types::SecretType;
Modules§
- agent_
keys - Agent key management with permission scoping and revocation.
- agent_
keys_ file - File-backed agent-key store for the bootstrap-bearer endpoint.
- audit
- Audit logging for credential access.
- crypto
- AES-256-GCM encryption for secrets.
- encryption
- At-rest database encryption key resolution.
- net
- Network-safety helpers shared across the cred binaries.
- piv
- YubiKey PIV applet operations for ECDH bootstrap auth.
- recovery
- Recovery key system for lost YubiKey scenarios.
- storage
- Database storage layer for encrypted secrets.
- types
- Secret data types for structured credential storage.
- yubikey
- YubiKey HMAC-SHA1 challenge-response on OTP slot 2.