Struct FileStore 

pub struct FileStore { /* private fields */ }

File-based key store with optional encryption

Provides persistent storage of cryptographic keys with optional encryption at rest The key are cached in memory for performance and automatically loaded from disk

Implementations

impl FileStore

pub fn new<P: AsRef<Path>>(path: P, config: StorageConfig) -> Result<Self>

Create a new FileStore at the given path

pub fn rekey(&mut self, new_password: &[u8]) -> Result<()>

pub fn set_master_key(&mut self, key: SecretKey) -> Result<()>

Set master key for encryption

pub fn init_with_password(&mut self, password: &[u8]) -> Result<()>

Initialize with password-derived master key (now using per-vault salt)

pub fn derive_master_key( password: &[u8], salt: &[u8], argon2_config: &Argon2Config, ) -> Result<SecretKey>

Derive a master key from a password using Argon2id

pub fn enable_audit_log<P: AsRef<Path>>(&mut self, log_path: P) -> Result<()>

Enable audit logging to a file

pub fn set_audit_logger(&mut self, logger: Box<dyn AuditLogger>)

Set a custom audit logger

pub fn export_key(&mut self, id: &KeyId, password: &[u8]) -> Result<ExportedKey>

Export a key to a secure, portable format

The key is encrypted with a password-derived key using Argon2id. The exported key includes all metadata and can be imported into another vault.

pub fn import_key( &mut self, exported: &ExportedKey, password: &[u8], ) -> Result<KeyId>

Import a key from an exported format

Validates the key, decrypts it with the provided password, and stores it in the vault. The key will maintain its original metadata (algorithm, version, etc.).

pub fn backup( &mut self, password: &[u8], config: BackupConfig, ) -> Result<VaultBackup>

Create a full backup of the vault

Arguments

• password - Password to encrypt the backup
• config - Backup configuration

Returns

The encrypted backup that can be saved to a file

Security

The backup is encrypted using Argon2id key derivation and XChaCha20Poly1305 AEAD. All key material is protected with high-security parameters.

pub fn restore( &mut self, backup: &VaultBackup, password: &[u8], ) -> Result<usize>

Restore a vault from a backup

Arguments

• backup - The encrypted backup to restore
• password - Password used to encrypt the backup

Errors

Returns an error if:

• Password is incorrect
• Backup is corrupted
• Keys cannot be imported

Trait Implementations

impl Debug for FileStore

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl KeyLifeCycle for FileStore

fn deprecate_key(&mut self, id: &KeyId) -> Result<()>

Mark a particular key as deprecated (key should be able to decrypt but not encrypt)

fn revoke_key(&mut self, id: &KeyId) -> Result<()>

Revoke a key (key should not be used for any operations)

fn cleanup_old_versions( &mut self, id: &KeyId, keep_versions: usize, ) -> Result<Vec<KeyId>>

Clean up old versions based on policy

impl KeyStore for FileStore

fn store(&mut self, key: VersionedKey) -> Result<()>

Store a versioned key

fn retrieve(&self, id: &KeyId) -> Result<VersionedKey>

Retrieve a key by ID

fn delete(&mut self, id: &KeyId) -> Result<()>

Delete a key

fn list(&self) -> Result<Vec<KeyId>>

List all kety IDs

fn update_metadata(&mut self, id: &KeyId, metadata: KeyMetadata) -> Result<()>

Update key metadata

fn find_by_state(&self, state: KeyState) -> Result<Vec<KeyId>>

Find keys by state

fn rotate_key(&mut self, id: &KeyId) -> Result<VersionedKey>

Rotate a key to a new version

fn get_key_versions(&self, id: &KeyId) -> Result<Vec<VersionedKey>>

Get all verions of a key (sorted by version number)

fn get_latest_key(&self, id: &KeyId) -> Result<VersionedKey>

Get the latest active version of a key

impl PersistentStorage for FileStore

fn flush(&mut self) -> Result<()>

Flush any pending writes to persistent storage

fn load(&mut self) -> Result<()>

Load keys from persistent storage

fn location(&self) -> &str

Get the storage location/path