FileKeyProvider

sifredb_key_file

Struct FileKeyProvider 

Source 
pub struct FileKeyProvider { /* private fields */ }
Expand description

File-based key provider for development and testing.

Keys are stored in the filesystem with the following structure:

keys/
├── kek_v1.key      (32 bytes, 0600 permissions)
├── kek_v2.key      (32 bytes, 0600 permissions)
├── current -> kek_v2.key  (symlink to active KEK)
└── pepper.key      (32 bytes, 0600 permissions)

§Example

use sifredb_key_file::FileKeyProvider;
use sifredb::key_provider::KeyProvider;

// Initialize a new key directory
FileKeyProvider::init("./keys").expect("Failed to initialize keys");

// Load the provider
let provider = FileKeyProvider::new("./keys").expect("Failed to load provider");

// Use the provider
let kek_id = provider.current_kek_id().expect("No active KEK");

Implementations§

Source§

impl FileKeyProvider

Source

pub fn new(key_dir: impl Into<PathBuf>) -> Result<Self, KeyProviderError>

Creates a new FileKeyProvider from an existing key directory.

§Arguments
  • key_dir - Directory containing key files
§Errors

Returns error if:

  • Directory doesn’t exist
  • No current KEK symlink exists
  • File permissions are incorrect (Unix only)
Source

pub fn init(key_dir: impl Into<PathBuf>) -> Result<(), KeyProviderError>

Initializes a new key directory with a fresh KEK and pepper.

This creates:

  • A new KEK (kek_v1.key)
  • A symlink pointing to the current KEK
  • A pepper for blind indexes
§Errors

Returns error if directory creation or key generation fails.

Trait Implementations§

Source§

impl KeyProvider for FileKeyProvider

Source§

fn create_kek(&self) -> Result<String, KeyProviderError>

Creates a new Key Encryption Key (KEK) and returns its identifier. Read more
Source§

fn current_kek_id(&self) -> Result<String, KeyProviderError>

Returns the identifier of the current (active) KEK. Read more
Source§

fn wrap_dek( &self, kek_id: &str, dek: &[u8], ) -> Result<Vec<u8>, KeyProviderError>

Wraps (encrypts) a Data Encryption Key (DEK) with the specified KEK. Read more
Source§

fn unwrap_dek( &self, kek_id: &str, wrapped_dek: &[u8], ) -> Result<SecretVec<u8>, KeyProviderError>

Unwraps (decrypts) a Data Encryption Key (DEK) using the specified KEK. Read more
Source§

fn get_pepper(&self) -> Result<Option<SecretVec<u8>>, KeyProviderError>

Returns the pepper value for blind index generation. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V