Skip to main content

Crate zeph_vault

Crate zeph_vault 

Source
Expand description

Secret storage for Zeph with pluggable backends and age encryption.

This crate provides:

  • VaultProvider — an async trait for secret retrieval, implemented by all backends.
  • AgeVaultProvider — primary backend that stores secrets as an age-encrypted JSON file.
  • EnvVaultProvider — development/testing backend that reads secrets from environment variables prefixed with ZEPH_SECRET_.
  • ArcAgeVaultProvider — thin Arc<RwLock<AgeVaultProvider>> wrapper that implements VaultProvider so the age vault can be stored as a trait object while still being accessible for mutable operations (e.g. OAuth credential persistence).
  • MockVaultProvider — in-memory backend available under the mock feature flag and in #[cfg(test)] contexts.

Secret and VaultError live in zeph-common (layer 0) and are re-exported here so callers only need to depend on zeph-vault.

§Security model

  • Secrets are stored as a JSON object encrypted with age using an x25519 keypair. Only the holder of the private key file can decrypt the vault.
  • In-memory secret values are kept in zeroize::Zeroizing buffers, which overwrite the memory on drop.
  • The key file is created with Unix permission 0600 (owner-read/write only). On non-Unix platforms the file is created without access control restrictions.
  • Vault writes are atomic: a temporary file is written first, then renamed, so a crash during write never corrupts the existing vault.

§Vault file layout

~/.config/zeph/
├── vault-key.txt   # age identity (private key), mode 0600
└── secrets.age     # age-encrypted JSON: {"KEY": "value", ...}

§Quick start

use std::path::Path;
use zeph_vault::{AgeVaultProvider, VaultProvider as _};

let vault = AgeVaultProvider::new(
    Path::new("/etc/zeph/vault-key.txt"),
    Path::new("/etc/zeph/secrets.age"),
)?;

// Synchronous access via the direct getter
if let Some(key) = vault.get("ZEPH_OPENAI_API_KEY") {
    println!("key length: {}", key.len());
}

Structs§

AgeVaultProvider
Age-encrypted vault backend.
ArcAgeVaultProvider
VaultProvider wrapper around Arc<RwLock<AgeVaultProvider>>.
EnvVaultProvider
Vault backend that reads secrets from environment variables.
Secret
Wrapper for sensitive strings with redacted Debug/Display.

Enums§

AgeVaultError
Errors that can occur during age vault operations.
VaultError
Error type for vault operations.

Traits§

VaultProvider
Pluggable secret retrieval backend.

Functions§

default_vault_dir
Return the default vault directory for the current platform.