Skip to main content

Crate reddb_crypto

Crate reddb_crypto 

Source
Expand description

§reddb-io-crypto

RedDB’s cryptographic authority crate. It owns the canonical per-page encryption-at-rest envelope (AES-256-GCM), the mandatory encrypt parameters, and key parsing — paralleling the reddb-io-file (on-disk artifacts) and reddb-io-wire (protocol contracts) authority crates under ADR 0046 / 0054.

§Scope and boundary

  • This crate owns the per-page envelope byte-format (encrypt_page / decrypt_page), the fixed crypto parameters (params), and key parsing (key::parse_key).
  • reddb-io-file owns the page-0 paged-encryption header (PAGED_ENCRYPTION_MARKER = b"RDBE" / PagedEncryptionHeader): the file-level marker, salt, and key-check slot. That is the self-describing “is this database encrypted, under what salt” authority and is intentionally out of this crate’s scope.
  • reddb-server orchestrates: it binds a key, decides policy (RED_ENCRYPTION_KEY[_FILE]), and routes pager reads/writes through this envelope. It introduces no second envelope format.

§History (#1053)

Two dormant, byte-incompatible envelopes existed for the same not-yet-shipped feature. This crate consolidates them: the leaner magic-less frame survives as canonical (it was already embedded in the page-0 key_check and wired into the dormant pager); the self-describing RDEP frame is retired, with its typed errors, OS-CSPRNG nonce source, and key parser carried forward here. See ADR 0054 for the full rationale.

Re-exports§

pub use key::parse_key;
pub use page_envelope::decrypt_page;
pub use page_envelope::encrypt_page;
pub use page_envelope::PageEnvelopeError;
pub use params::AEAD_ALGORITHM;
pub use params::KEY_SIZE;
pub use params::NONCE_SIZE;
pub use params::PAGE_ENVELOPE_OVERHEAD;
pub use params::TAG_SIZE;

Modules§

aes_gcm
AES-256-GCM wrapper used by the page-encryption envelope.
key
Encryption-key parsing — a mandatory encrypt parameter homed here per #1053 / ADR 0054 (carried forward from the retired RDEP envelope).
os_random
OS-backed CSPRNG helper used to draw per-page nonces.
page_envelope
Canonical per-page encryption-at-rest envelope (#1053, ADR 0054).
params
Mandatory encrypt parameters for the canonical page envelope.