Struct KeyRing 

pub struct KeyRing { /* private fields */ }

Key ring supporting dual-key reads for seamless key rotation.

During rotation: new writes use the current key, reads try current then fall back to previous. Once all old data is re-encrypted, the previous key is removed.

Implementations

impl KeyRing

pub fn new(current: WalEncryptionKey) -> Self

Create a key ring with only the current key.

pub fn with_previous( current: WalEncryptionKey, previous: WalEncryptionKey, ) -> Self

Create a key ring with current + previous key (for rotation).

pub fn encrypt( &self, lsn: u64, header_bytes: &[u8; 54], plaintext: &[u8], ) -> Result<Vec<u8>>

Encrypt using the current key.

pub fn encrypt_aad( &self, lsn: u64, aad: &[u8], plaintext: &[u8], ) -> Result<Vec<u8>>

Encrypt with a caller-provided AAD slice.

pub fn decrypt( &self, epoch: &[u8; 4], lsn: u64, header_bytes: &[u8; 54], ciphertext: &[u8], ) -> Result<Vec<u8>>

Decrypt: try current key first, then previous (if set).

epoch is the encryption epoch stored in the WAL segment preamble. This enables seamless key rotation — old data encrypted with the previous key can still be read while new data uses the current key.

pub fn decrypt_aad( &self, epoch: &[u8; 4], lsn: u64, aad: &[u8], ciphertext: &[u8], ) -> Result<Vec<u8>>

Decrypt with a caller-provided AAD slice.

pub fn current(&self) -> &WalEncryptionKey

Get the current key (for encryption operations).

pub fn has_previous(&self) -> bool

Whether a previous key is present (rotation in progress).

pub fn clear_previous(&mut self)

Remove the previous key (rotation complete).

Trait Implementations

impl Clone for KeyRing

fn clone(&self) -> KeyRing

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.