Expand description
KeyVault: opaque custodian of repository key material.
§Security Architecture
This is the ONLY struct in the entire codebase that holds key material. The raw bytes never leave this struct — all operations are provided as methods. External crates receive only:
- Derived keys (
&SecretKey) for purpose-specific encryption - Operation handles (
CommitReader) for per-commit decryption - Encrypted/decrypted data from vault operations
§Modes
- RootKey: Full read/write access. Can seal and open commits, derive keys,
and perform all encryption operations. Created via
KeyVault::new(). - ContentKey: Scoped read-only access to a single commit’s objects. Can
open commits and decrypt metadata/shards, but cannot seal new objects or
access derived keyring keys. Created via
KeyVault::from_content_key().
§ring-inspired pattern
Following the ring crypto library’s approach:
- Key material enters the vault once and is consumed into an opaque struct
- No
as_bytes(), nointo_inner(), no escape hatch for key material - The vault provides operations (open, seal, derive), never key accessors
CommitReadermirrors ring’sOpeningKey— a per-operation handle
Structs§
- KeyVault
- Holds repository key material and provides all key-dependent operations.