Skip to main content

Module passkey

webylib

Module passkey 

Source
Expand description

Passkey encryption for Webcash wallets

This module provides state-of-the-art passkey encryption functionality for Webcash wallets, supporting both iOS (Face ID/Touch ID) and Android (Passkey API) platforms.

§Security Architecture

The passkey encryption system follows these principles:

  1. Key Isolation: Encryption keys are protected by platform hardware security modules
  2. Zero Secrets: Passkey data never leaves the device’s secure enclave
  3. Forward Secrecy: Keys are regenerated when passkey enrollment changes
  4. Defense in Depth: Multiple layers of encryption and authentication

§Implementation Strategy

§iOS Integration

  • Uses iOS Keychain Services with kSecAccessControl and .biometryAny flags
  • Leverages Secure Enclave for key storage and passkey verification
  • Supports both Face ID and Touch ID seamlessly
  • Falls back to device passcode when passkeys unavailable

§Android Integration

  • Uses Android Keystore with passkey authentication requirements
  • Supports fingerprint, face unlock, and iris scanning
  • Integrates with Android Credential Manager API for unified experience
  • Hardware security module protection when available

§Usage Patterns

use webylib::passkey::{PasskeyEncryption, EncryptionConfig};

// Initialize with platform-specific configuration
let mut passkey = PasskeyEncryption::new(EncryptionConfig::default())?;

// Encrypt wallet with passkey protection
let wallet_data = b"wallet data";
let encrypted_data = passkey.encrypt_with_passkey(wallet_data).await?;

// Decrypt wallet (triggers passkey prompt)
let decrypted_data = passkey.decrypt_with_passkey(&encrypted_data).await?;

Structs§

EncryptedData
Encrypted data container with metadata
EncryptionConfig
Configuration for passkey encryption
EncryptionMetadata
Encryption metadata (non-sensitive information)
KdfParams
Key derivation parameters
PasskeyEncryption
Main passkey encryption interface

Functions§

decrypt_with_password
Decrypt data with a password-based key
encrypt_with_password
Encrypt data with a password-based key (fallback when passkeys unavailable).