#[non_exhaustive]pub enum KeySource<'a> {
Path(&'a Path),
Password(&'a str),
Csprng,
}Expand description
A KeySource specifies the source of the encryption/decryption keys used by
a SecretsManager instance when loading or interacting with a SecureStore
vault.
Note that it is possible for different KeySource variants to be equivalent
and used interchangeably. For instance, you can derive the secret keys from
a password (via KeySource::Password) when reading/writing a SecureStore
vault from the command line (via the companion cli app/crate, ssclient)
but then export a copy of the keys derived from that password to a keyfile
and use that when accessing the vault from your code in production (as a
KeySource::Path variant). See SecretsManager::export_key() or
the ssclient documentation for more info.
Note that when creating a new vault with KeySource::Csprng the generated
private keys should be exported via SecretsManager::export_key()
before dropping the SecretsManager instance; the exported keyfile should
then be used the next time the vault is loaded (via KeySource::Path).
Variants (Non-exhaustive)§
This enum is marked as non-exhaustive
Path(&'a Path)
Load the keys from a keyfile on-disk. Both binary and PEM keyfiles are supported.
Password(&'a str)
Derive keys from the specified password.
You most likely do not want to use this KeySource variant directly;
instead use ssclient with a password when managing the secrets
in the SecureStore vault at the command line, and use ssclient to
export a keyfile equivalent to that password to use to retrieve
passwords at runtime (via KeySource::Path or
[KeySource::from_file()).
Csprng
Automatically generate a new key file from a secure RNG, for use with
SecretsManager::new() only.
SecretsManager::export_key() should be used to export the
keys before the SecretsManager instance is disposed or else the
generated key will be lost and secrets will not be decryptable. The
store should subsequently be loaded with KeySource::Path pointing to
the exported key’s path.