Expand description
Encrypted secrets management.
This module provides in-memory-only decryption of user-supplied
secrets files. Secrets are never written to disk in plaintext form;
they are loaded from an AES-256-GCM encrypted .enc file, decrypted
into memory, parsed, and converted directly into ScanPatterns
for the streaming scanner.
§Encryption Format
┌────────────────────────────────┬──────────────┬─────────────────────────────┐
│ Salt (32 B) │ Nonce (12 B)│ AES-256-GCM Ciphertext │
└────────────────────────────────┴──────────────┴─────────────────────────────┘- Salt (32 bytes): random, used for PBKDF2-derived key.
- Nonce (12 bytes): random, for AES-256-GCM.
- Ciphertext: authenticated encryption of the plaintext secrets file (JSON / YAML / TOML).
The 256-bit AES key is derived from the user password using PBKDF2-HMAC-SHA256 with 600 000 iterations, which meets current OWASP recommendations.
§Key Derivation
key = PBKDF2-HMAC-SHA256(password, salt, iterations=600_000, dkLen=32)§Secrets File Schema
The plaintext secrets file (before encryption) must deserialize to
Vec<SecretEntry>:
[
{
"pattern": "alice@corp\\.com",
"kind": "regex",
"category": "email",
"label": "alice_email"
},
{
"pattern": "sk-proj-abc123secret",
"kind": "literal",
"category": "custom:api_key",
"label": "openai_key"
}
]§Thread Safety
All public types are Send + Sync. Decrypted secrets use
zeroize::Zeroizing to scrub plaintext from memory on drop.
§Security Considerations
- AES-256-GCM provides both confidentiality and integrity (AEAD).
- PBKDF2 with 600 000 iterations resists offline brute-force attacks.
- Decrypted plaintext is held in
Zeroizing<Vec<u8>>and zeroed on drop. - The plaintext secrets file is never written to disk by this crate.
- Nonce and salt are generated with OS CSPRNG (
rand).
Structs§
- Secret
Entry - A single secret entry as stored in the (plaintext) secrets file.
Enums§
- Secrets
Format - Supported plaintext file formats for secrets.
Functions§
- decrypt_
secrets - Decrypt an encrypted secrets blob in memory.
- encrypt_
secrets - Encrypt a plaintext secrets file.
- entries_
to_ patterns - Convert parsed
SecretEntrys into compiledScanPatterns. - load_
encrypted_ secrets - Load, decrypt, parse, and compile an encrypted secrets file into
ScanPatterns ready for the streaming scanner. - load_
plaintext_ secrets - Load and parse a plaintext secrets file into
ScanPatterns. - load_
secrets_ auto - Unified loader: auto-detect encrypted vs plaintext and load secret patterns accordingly.
- looks_
encrypted - Detect whether raw file bytes look like an AES-256-GCM encrypted secrets blob (binary with salt+nonce header) or a plaintext secrets file (UTF-8 JSON / YAML / TOML).
- parse_
category - Parse a category string into a
Category. - parse_
secrets - Parse a decrypted plaintext into secret entries.
- serialize_
secrets - Serialize secret entries back into a plaintext format.
Type Aliases§
- Pattern
Compile Result - Result of compiling secret entries into patterns. Contains successfully compiled patterns and a list of (index, error) for failures.