Struct EncryptedFilesystemStorage 

pub struct EncryptedFilesystemStorage { /* private fields */ }

Encrypted filesystem storage for secure credential storage

This implementation encrypts data at rest using the age encryption library. It provides a secure alternative to keyring when:

• Keyring is unavailable (headless environments, CI/CD)
• Platform keyring integration is not possible
• Remote/containerized environments

Encryption Key Management

The encryption key is obtained in the following priority order:

1. Environment Variable: RUNBEAM_ENCRYPTION_KEY (base64-encoded)
2. Generated Key: Automatically generated and stored at ~/.runbeam/encryption.key

Generated keys are created with restrictive file permissions (0600 on Unix) to prevent unauthorized access.

Security Considerations

• DO NOT commit encryption keys to version control
• In production, use RUNBEAM_ENCRYPTION_KEY environment variable
• Protect the ~/.runbeam/encryption.key file with appropriate file system permissions
• Consider key rotation policies for long-lived deployments
• In containerized environments, use secrets management (e.g., Docker secrets, k8s secrets)

Implementations

impl EncryptedFilesystemStorage

pub async fn new_with_instance(instance_id: &str) -> Result<Self, StorageError>

Create a new encrypted filesystem storage with an instance-specific key

Uses ~/.runbeam/<instance_id> as the base path for storage and keys. This allows multiple instances to have isolated storage.

Arguments

• instance_id - Unique identifier for this instance (e.g., “harmony”, “runbeam-cli”, “test-123”)

Returns

Returns a configured EncryptedFilesystemStorage or an error if:

• The base path cannot be created
• Encryption key cannot be loaded or generated
• Key file permissions cannot be set properly

pub async fn new_with_instance_and_key( instance_id: &str, encryption_key: &str, ) -> Result<Self, StorageError>

Create a new encrypted filesystem storage with an explicit encryption key

Uses ~/.runbeam/<instance_id> as the base path for storage. The provided encryption key will be used instead of environment variables or auto-generation.

Arguments

• instance_id - Unique identifier for this instance (e.g., “harmony”, “runbeam-cli”, “test-123”)
• encryption_key - Base64-encoded age X25519 encryption key

Returns

Returns a configured EncryptedFilesystemStorage or an error if:

• The base path cannot be created
• The encryption key is invalid

pub async fn new(base_path: impl AsRef<Path>) -> Result<Self, StorageError>

Create a new encrypted filesystem storage

Arguments

• base_path - Base directory for encrypted file storage

Returns

Returns a configured EncryptedFilesystemStorage or an error if:

• The base path cannot be created
• Encryption key cannot be loaded or generated
• Key file permissions cannot be set properly

Trait Implementations

impl StorageBackend for EncryptedFilesystemStorage

fn write_file_str( &self, path: &str, data: &[u8], ) -> Pin<Box<dyn Future<Output = Result<(), StorageError>> + Send + '_>>

Write data to storage at the specified path

fn read_file_str( &self, path: &str, ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, StorageError>> + Send + '_>>

Read data from storage at the specified path

fn exists_str(&self, path: &str) -> bool

Check if a file exists at the specified path

fn remove_str( &self, path: &str, ) -> Pin<Box<dyn Future<Output = Result<(), StorageError>> + Send + '_>>

Remove a file at the specified path