Expand description
§secrets-vault
AES-256-GCM encrypted key-value vault with PBKDF2-SHA256 key derivation. Binary-compatible with the Zig version.
§Quick Start
use secrets_vault::Vault;
// Create or load a vault
let mut vault = Vault::new();
vault.set("API_KEY", "sk-secret-123");
vault.set("DB_URL", "postgres://localhost/mydb");
// Encrypt and save
let bytes = vault.encrypt("my-passphrase")?;
std::fs::write("vault.qvlt", &bytes)?;
// Load and decrypt
let data = std::fs::read("vault.qvlt")?;
let vault = Vault::decrypt(&data, "my-passphrase")?;
assert_eq!(vault.get("API_KEY"), Some("sk-secret-123"));§Vault File Format (QVLT)
[4 bytes] Magic: "QVLT"
[1 byte] Version: 0x01
[16 bytes] PBKDF2 salt (random per save)
[12 bytes] AES-GCM nonce (random per save)
[16 bytes] AES-GCM authentication tag
[N bytes] Ciphertext (encrypted key-value pairs)§Security
- AES-256-GCM authenticated encryption (NIST)
- PBKDF2-HMAC-SHA256 with 600,000 iterations (OWASP 2023)
- Fresh random salt + nonce on every encrypt
- Plaintext zeroed after use
- Tamper detection via GCM authentication tag
Structs§
- Vault
- An in-memory key-value store that can be encrypted to/from the QVLT format.
Enums§
- Vault
Error - Errors that can occur during vault operations.
Constants§
- ITERATIONS
- PBKDF2 iteration count (OWASP 2023 recommendation for SHA-256).
- MAX_
KEY_ LEN - Maximum key name length in bytes.
- MAX_
VALUE_ LEN - Maximum value length in bytes.
Functions§
- is_
valid_ key - Check if a key name is valid (alphanumeric + underscore, non-empty, ≤256 bytes).
- parse_
env_ lines - Parse KEY=VALUE lines (with optional
exportprefix and quote stripping).