Expand description
Passphrase-based key management for git-ref sync.
The no-account model derives the encryption key from a passphrase plus a
salt. The canonical salt for a store lives in the ref tree at meta/salt
(plaintext; a salt is not secret), so every machine that shares the
passphrase derives the same key. This module consumes a salt provided by the
caller (read from the ref by the gitref layer) and
produces a fresh salt when a store is first initialized.
Each repo or store has its own passphrase plus salt and therefore its own derived key, so the storage is namespaced by a store identifier derived from the salt. This lets a single machine hold more than one store key at a time.
Structs§
- KeyStore
- Persists the derived encryption key for a lore store, keyed by store-id.
Functions§
- derive_
store_ key - Derives the store encryption key from a passphrase and a salt.
- generate_
store_ salt - Generates a fresh random salt for a newly initialized store.
- store_
id_ from_ salt - Derives a stable store identifier from a store’s salt.