Module crypto

Modules§

aes_gcm: AES-256-GCM wrapper used by storage.
const_time: Constant-time byte-slice comparison.
hmac: HMAC helpers used by RedDB storage encryption.
os_random: OS-backed CSPRNG helpers.
page_encryption: Encryption-at-rest framing for RedDB pages (PLAN.md Phase 6.3).
sha256
uuid

PageEncryptionError: Errors returned by the page-encryption surface. Caller (the pager) maps these to its own typed error.

FRAME_MAGIC: 4-byte magic identifying an encrypted page envelope.
FRAME_OVERHEAD: Fixed envelope overhead: magic (4) + version (1) + nonce (12) + GCM tag (16). Plaintext expands by exactly this many bytes.
FRAME_VERSION: Current envelope schema version.

aes256_gcm_decrypt: Decrypt data encrypted by aes256_gcm_encrypt.
aes256_gcm_encrypt: Encrypt plaintext with AES-256-GCM.
constant_time_eq
decrypt_page: Decrypt an envelope produced by encrypt_page. page_id MUST match the value passed at encrypt time — a mismatch surfaces as KeyMismatch (GCM tag check failure) which is the correct signal: an attacker swapping pages is functionally indistinguishable from a wrong key.
encrypt_page: Encrypt plaintext for storage. page_id is bound as AAD so swapping two pages on disk fails the tag check on decrypt.
hmac_sha256
is_encrypted_frame: Cheap sniff: does this byte slice look like an encrypted page? Used by the pager (post-wiring) to decide whether to call decrypt_page or treat the bytes as plaintext on a mixed pre/post-encryption database.
key_from_env: Read the runtime encryption key from RED_ENCRYPTION_KEY / RED_ENCRYPTION_KEY_FILE. Returns None when the operator hasn’t enabled at-rest encryption. Errors are surfaced as Err so a misconfigured key (typo, wrong length) fails boot loudly instead of silently leaving plaintext on disk.
parse_encryption_key: Parse a 32-byte AES key from a string — accepts hex (64 chars) or unpadded base64 (43 or 44 chars). Tolerates leading/trailing whitespace including newlines from kubectl create secret.
sha256: Compute SHA-256 hash of data (one-shot)