Skip to main content

KeyVault

void_core::crypto

Struct KeyVault 

Source 
pub struct KeyVault { /* private fields */ }
Expand description

Holds repository key material and provides all key-dependent operations.

§Security

This is the ONLY struct that holds key material. The raw bytes never leave this struct — all operations are provided as methods. External crates receive only derived keys (SecretKey) or operation handles (CommitReader).

Two modes:

  • RootKey (new): full read/write, can seal new commits
  • ContentKey (from_content_key): scoped read-only, single commit

Implementations§

Source§

impl KeyVault

Source

pub fn new(root_key: [u8; 32]) -> Result<KeyVault, CryptoError>

Construct a root-key vault from raw key bytes.

§Security

The root key grants full read/write access to the entire repository history. After this call, the caller should zero the raw bytes. The vault takes ownership of key material from this point forward.

Source

pub fn from_content_key(content_key: ContentKey) -> KeyVault

Construct a content-key vault for scoped read-only access.

The content key grants access to a single commit’s objects (metadata, shards, manifest) but cannot seal new commits or access derived keyring keys. Used for --content-key clone/fork paths.

Source

pub fn is_content_key_mode(&self) -> bool

Returns true if this vault is in content-key (read-only) mode.

Source

pub fn open_commit( &self, blob: &EncryptedCommit, ) -> Result<(Vec<u8>, CommitReader), CryptoError>

Decrypt a commit blob, returning plaintext and a session handle.

Works in both modes:

  • RootKey: decrypts the VD01 envelope and derives the content key
  • ContentKey: decrypts the envelope body using the content key directly

The returned CommitReader holds a per-commit derived content key for decrypting the commit’s metadata and shards.

Source

pub fn seal_commit( &self, plaintext: &[u8], ) -> Result<EncryptedCommit, CryptoError>

Encrypt a commit with envelope format (VD01), generating a fresh nonce.

Requires root-key mode.

Source

pub fn seal_commit_with_nonce( &self, plaintext: &[u8], nonce: &Nonce<16>, ) -> Result<EncryptedCommit, CryptoError>

Encrypt a commit with envelope format using a pre-derived nonce.

Requires root-key mode.

Source

pub fn derive_commit_key(&self) -> Result<(ContentKey, Nonce<16>), CryptoError>

Derive the per-commit content key for a new commit (used during seal).

Returns (ContentKey, KeyNonce) — the nonce is embedded in the envelope. Requires root-key mode.

Source

pub fn index_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting the index file.

Requires root-key mode (keyring not available in content-key mode).

Source

pub fn stash_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting stash entries.

Requires root-key mode.

Source

pub fn staged_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting staged blobs.

Requires root-key mode.

Source

pub fn commits_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting commits (used by seal pipeline).

Requires root-key mode.

Source

pub fn metadata_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting metadata bundles.

Requires root-key mode.

Source

pub fn content_key(&self) -> Result<&SecretKey, CryptoError>

Key for encrypting/decrypting content (file data in shards).

Requires root-key mode.

Source

pub fn keyring(&self) -> Result<&KeyRing, CryptoError>

Access the full keyring (for operations that need multiple derived keys).

Requires root-key mode.

Source

pub fn decrypt_blob( &self, blob: &[u8], aad: &[u8], ) -> Result<Vec<u8>, CryptoError>

Decrypt a blob with VD01 envelope format.

Requires root-key mode.

Source

pub fn decrypt_blob_raw( &self, blob: &[u8], aad: &[u8], ) -> Result<Vec<u8>, CryptoError>

Decrypt a blob to raw bytes with VD01 envelope format.

Derives content key from the embedded envelope nonce. Requires root-key mode.

Source

pub fn seal_metadata( &self, plaintext: &[u8], ) -> Result<EncryptedMetadata, CryptoError>

Encrypt metadata with the root key (AAD_METADATA baked in).

Used as the fallback when no per-commit content key is available (e.g., merge commits). Requires root-key mode.

Source

pub fn seal_metadata_with_key( &self, key: &ContentKey, plaintext: &[u8], ) -> Result<EncryptedMetadata, CryptoError>

Encrypt metadata with a content key (AAD_METADATA baked in).

Used when a per-commit content key is available (normal commit path). Works in both root-key and content-key modes (uses the provided key, not the vault’s root key).

Source

pub fn seal_shard( &self, plaintext: &[u8], ) -> Result<EncryptedShard, CryptoError>

Encrypt shard data with the root key (AAD_SHARD baked in).

Requires root-key mode.

Source

pub fn unseal_shard( &self, blob: &EncryptedShard, ) -> Result<Vec<u8>, CryptoError>

Decrypt shard data encrypted with the root key (AAD_SHARD baked in).

Requires root-key mode.

Source

pub fn unseal_commit_with_nonce( &self, blob: &[u8], ) -> Result<(Vec<u8>, Nonce<16>), CryptoError>

Decrypt a commit blob returning plaintext and envelope nonce.

Requires root-key mode.

Source

pub fn derive_scoped_key(&self, scope: &str) -> Result<ContentKey, CryptoError>

Derive a scoped content key from the root key.

Requires root-key mode.

Source

pub fn repo_secret_fallback(&self) -> Result<SecretKey, CryptoError>

Derive a deterministic repo secret from the root key via HKDF.

Requires root-key mode.

Trait Implementations§

Source§

impl Debug for KeyVault

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl Drop for KeyVault

Source§

fn drop(&mut self)

Executes the destructor for this type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V