Skip to main content

Module keystore

Module keystore 

Source
Expand description

Passphrase-based key management for git-ref sync.

The no-account model derives the encryption key from a passphrase plus a salt. The canonical salt for a store lives in the ref tree at meta/salt (plaintext; a salt is not secret), so every machine that shares the passphrase derives the same key. This module consumes a salt provided by the caller (read from the ref by the gitref layer) and produces a fresh salt when a store is first initialized.

Each repo or store has its own passphrase plus salt and therefore its own derived key, so the storage is namespaced by a store identifier derived from the salt. This lets a single machine hold more than one store key at a time.

Structs§

KeyStore
Persists the derived encryption key for a lore store, keyed by store-id.

Functions§

derive_store_key
Derives the store encryption key from a passphrase and a salt.
generate_store_salt
Generates a fresh random salt for a newly initialized store.
store_id_from_salt
Derives a stable store identifier from a store’s salt.