Skip to main content

Vault

Struct Vault

pub struct Vault { /* private fields */ }

Expand description

An encrypted in-memory vault for storing named secrets.

Secrets are encrypted with XChaCha20-Poly1305, keys are derived from a password via Argon2i, and all key material is zeroized on drop.

§Examples

use memseal::Vault;

let mut vault = Vault::create(b"password1234").unwrap();
vault.store("db_url", b"postgres://localhost/mydb").unwrap();

vault.save(&path).unwrap();

let loaded = Vault::load(&path, b"password1234").unwrap();
assert_eq!(
    loaded.retrieve("db_url").unwrap(),
    Some(b"postgres://localhost/mydb".to_vec())
);

Implementations§

impl Vault

pub fn create(password: &[u8]) -> Result<Self, VaultError>

Creates a new empty vault protected by the given password.

Password must be at least 8 bytes.

pub fn open(password: &[u8], data: &[u8]) -> Result<Self, VaultError>

Opens an existing vault from exported bytes.

Returns VaultError::InvalidPassword if the password is wrong.

pub fn load(path: &Path, password: &[u8]) -> Result<Self, VaultError>

Loads a vault from a file on disk.

Reads at most 256 MiB to prevent resource exhaustion.

pub fn store(&mut self, name: &str, plaintext: &[u8]) -> Result<(), VaultError>

Stores a named secret in the vault, encrypting it immediately.

Name must be at most 255 bytes. Data must be at most 64 MiB. If a secret with the same name already exists, it is overwritten.

pub fn retrieve(&self, name: &str) -> Result<Option<Vec<u8>>, VaultError>

Retrieves a secret by name, decrypting it.

Returns Ok(None) if no secret with that name exists.

pub fn remove(&mut self, name: &str) -> Result<bool, VaultError>

Removes a secret by name. Returns true if it existed.

pub fn export(&mut self) -> Result<Vec<u8>, VaultError>

Serializes the vault to bytes for persistence.

Each call rotates the index nonce to prevent nonce reuse.

pub fn save(&mut self, path: &Path) -> Result<(), VaultError>

Saves the vault to a file on disk.

Uses atomic write (temp file + rename) with 0600 permissions on Unix.

pub fn change_password( &mut self, current_password: &[u8], new_password: &[u8], ) -> Result<(), VaultError>

Changes the vault’s password.

Re-derives all keys from the new password and re-encrypts every entry one at a time (at most one plaintext in memory at any given time).

Auto Trait Implementations§

impl !Freeze for Vault

impl RefUnwindSafe for Vault

impl Send for Vault

impl Sync for Vault

impl Unpin for Vault

impl UnsafeUnpin for Vault

impl UnwindSafe for Vault

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.