Struct WalEncryptionKey 

pub struct WalEncryptionKey { /* private fields */ }

AES-256-GCM key with a random per-lifetime epoch for nonce disambiguation.

The epoch is generated randomly at construction time. Each WAL lifetime (process start, snapshot restore, segment creation) gets a fresh epoch, ensuring that nonces are never reused even if LSNs restart from 1.

Implementations

impl WalEncryptionKey

pub fn from_bytes(key: &[u8; 32]) -> Self

Create from a 32-byte key with a fresh random epoch.

pub fn from_file(path: &Path) -> Result<Self>

Load key from a file (must contain exactly 32 bytes).

pub fn encrypt( &self, lsn: u64, header_bytes: &[u8; 30], plaintext: &[u8], ) -> Result<Vec<u8>>

Encrypt a payload. Returns ciphertext + auth_tag (16 bytes appended).

• lsn: used to derive a deterministic nonce
• header_bytes: used as AAD (additional authenticated data)
• plaintext: the payload to encrypt

pub fn epoch(&self) -> &[u8; 4]

The random epoch for this key instance.

pub fn decrypt( &self, epoch: &[u8; 4], lsn: u64, header_bytes: &[u8; 30], ciphertext: &[u8], ) -> Result<Vec<u8>>

Decrypt a payload. Input is ciphertext + auth_tag (16 bytes at end).

• epoch: the epoch that was used during encryption (from the segment header)
• lsn: must match the LSN used during encryption
• header_bytes: must match the header used during encryption (AAD)
• ciphertext: the encrypted payload (includes 16-byte auth tag)

Trait Implementations

impl Clone for WalEncryptionKey

fn clone(&self) -> WalEncryptionKey

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.