pub fn encrypt_secrets(plaintext: &[u8], password: &str) -> Result<Vec<u8>>Expand description
Encrypt a plaintext secrets file.
Returns the encrypted blob: salt (32) || nonce (12) || ciphertext.
§Arguments
plaintext— raw bytes of the secrets file (JSON / YAML / TOML).password— user-supplied password.
§Errors
Returns [SanitizeError::SecretsError] if the password is empty or
encryption fails.
§Security
- Salt and nonce are generated with CSPRNG.
- Key is derived with PBKDF2 (600 000 iterations).
- AES-256-GCM provides authenticated encryption.