Struct SecretManager 

pub struct SecretManager<B, E, const V: usize = 256, const S: usize = 32>
where
    B: SecretBackend + SecretRotationBackend + Clone,
    E: KeyEncryptor + Clone,
{ /* private fields */ }

Convenience facade that runs a SecretSyncer and a KeyRotator together.

SecretManager is the right choice when a single service instance should both rotate keys and consume them. Internally it:

1. Calls SecretSyncer::initial_load synchronously so the ring is hydrated before start returns (any failure is propagated as the Err variant).
2. Spawns the syncer and rotator as independent tokio tasks that run until the CancellationToken is cancelled.

The SecretGroup trait is forwarded to the inner InMemorySecretGroup so you can call current and resolve directly on the manager.

For split deployments — a dedicated rotation service plus many reader nodes — use KeyRotator and SecretSyncer independently instead.

Type parameters

• B — backend that implements both SecretBackend and SecretRotationBackend
• E — encryptor that implements KeyEncryptor
• V — ring buffer size (default 256, must be ≤ 256)
• S — key size in bytes (default 32)

Implementations

impl<B, E, const V: usize, const S: usize> SecretManager<B, E, V, S>

where B: SecretBackend + SecretRotationBackend + Clone, E: KeyEncryptor + Clone,

pub fn new( group_id: impl Into<String>, group: Arc<InMemorySecretGroup<V, S>>, backend: B, encryptor: E, rotation_interval: Duration, propagation_delay: Duration, poll_interval: Option<Duration>, generate_key: Option<fn() -> [u8; S]>, ) -> Self

Create a new SecretManager.

Arguments

• group_id — identifies the logical key group in storage
• group — the ring buffer that will be kept hydrated; typically wrapped in Arc so application code can read it concurrently
• backend — implements both SecretBackend (read) and SecretRotationBackend (write)
• encryptor — encrypts keys on write, decrypts on read
• rotation_interval — how long a key lives before a new one is generated
• propagation_delay — head-start given to syncers before a new key becomes current; set to at least your maximum expected poll latency
• poll_interval — how often the syncer polls for new keys; None uses 5 seconds
• generate_key — custom key-material generator; None uses a CSPRNG fill

pub async fn start( self, token: CancellationToken, ) -> Result<SecretManagerHandle, <B as SecretBackend>::Error>

Hydrate the ring buffer and spawn background tasks.

Performs the initial load synchronously — if it fails the error is returned and no tasks are spawned. On success, the syncer and rotator are launched and a SecretManagerHandle is returned.

Graceful shutdown

let token = CancellationToken::new();
let handle = SecretManager::new("payments-signing", group, backend, encryptor,
    Duration::from_secs(3600), Duration::from_secs(30), None, None)
    .start(token.clone()).await?;

// … serve traffic …

token.cancel();      // signal tasks to stop
handle.wait().await; // block until both tasks have exited

Trait Implementations

impl<B, E, const V: usize, const S: usize> SecretGroup<V, S> for SecretManager<B, E, V, S>

where B: SecretBackend + SecretRotationBackend + Clone, E: KeyEncryptor + Clone,

fn current(&self) -> (u8, [u8; S])

Return (current_version, key_bytes).

fn resolve(&self, version: u8) -> Option<[u8; S]>

Look up a key by version. Returns None for slots that have never been written.