rust-keyvault
| Crates.io | rust-keyvault |
| lib.rs | rust-keyvault |
| version | 0.2.1 |
| created_at | 2025-09-14 02:48:51.722849+00 |
| updated_at | 2025-10-08 01:09:36.634197+00 |
| description | A secure, modern cryptographic key management library for Rust |
| homepage | |
| repository | https://github.com/0xTnxl/rust-keyvault |
| max_upload_size | |
| id | 1838312 |
| size | 296,550 |
!∄ (0xTnxl)
documentation
https://docs.rs/rust-keyvault
README
rust-keyvault
A secure, production-grade cryptographic key management library for Rust.
Features
- Secure Key Storage - Encrypted at-rest with Argon2id + XChaCha20-Poly1305
- Key Rotation - Seamless key lifecycle management with versioning
- Persistent Storage - File-based backend with optional encryption
- Import/Export - Secure key exchange between vaults (new in v0.2.0!)
- Backup/Restore - Encrypted vault backups with compression (new in v0.2.0!)
- Audit Logging - Comprehensive security event tracking
- High Performance - ~2.4µs key generation, efficient storage
- Memory Safety - Automatic secret zeroization, constant-time operations
- Thread-Safe - Concurrent access with RwLock protection
- Benchmarked - Performance baselines established with Criterion
Security
- Zero Unsafe Code:
#![forbid(unsafe_code)]- completely memory safe - Security Audit: Passed (October 2025) - see SECURITY.md
- OWASP Compliant: Argon2id parameters meet OWASP 2024 guidelines
- Constant-Time Operations: Timing-attack resistant comparisons
- Automatic Zeroization: Secrets cleared from memory on drop
Supported Algorithms
| Algorithm | Type | Key Size | Nonce Size | Use Case |
|---|---|---|---|---|
| ChaCha20-Poly1305 | AEAD | 256-bit | 96-bit | General encryption |
| XChaCha20-Poly1305 | AEAD | 256-bit | 192-bit | Safe random nonces |
| AES-256-GCM | AEAD | 256-bit | 96-bit | Hardware acceleration |
| Ed25519 | Signature | 256-bit | - | Digital signatures* |
| X25519 | Key Exchange | 256-bit | - | ECDH key agreement* |
*Asymmetric algorithms partially implemented - full support in v0.3.0
Quick Start
Installation
Add to your Cargo.toml:
[dependencies]
rust-keyvault = "0.2.0"
Basic Usage
use rust_keyvault::*;
use rust_keyvault::key::{SecretKey, VersionedKey};
use rust_keyvault::storage::*;
use std::time::SystemTime;
// Create an encrypted file store
let config = StorageConfig { encrypted: true, ..Default::default() };
let mut store = FileStore::new("./keys", config)?;
store.init_with_password(b"your-secure-password")?;
// Generate a new key
let base_id = KeyId::generate_base()?;
let secret_key = SecretKey::generate(Algorithm::ChaCha20Poly1305)?;
let metadata = KeyMetadata {
id: base_id.clone(),
base_id: base_id.clone(),
algorithm: Algorithm::ChaCha20Poly1305,
created_at: SystemTime::now(),
expires_at: None,
state: KeyState::Active,
version: 1,
};
let versioned_key = VersionedKey { key: secret_key, metadata };
// Store the key
store.store(versioned_key)?;
// Retrieve and use
let retrieved = store.retrieve(&base_id)?;
println!("Key algorithm: {:?}", retrieved.key.algorithm());
Key Rotation
// Rotate to a new version
let rotated_key = store.rotate_key(&base_id)?;
println!("New version: {}", rotated_key.metadata.version); // 2
// Get all versions
let versions = store.get_key_versions(&base_id)?;
println!("Total versions: {}", versions.len()); // 2
// Get latest active key
let latest = store.get_latest_key(&base_id)?;
Import/Export (v0.2.0)
use rust_keyvault::export::ExportedKey;
use rust_keyvault::storage::FileStore;
// Export key with password protection
let exported = store.export_key(&base_id, b"export-password")?;
// Serialize to JSON for transmission/storage
let json_export = exported.to_json()?;
std::fs::write("exported_key.json", &json_export)?;
// Import into another vault
let mut target_store = FileStore::new("./target", config)?;
// Deserialize from JSON
let json_str = std::fs::read_to_string("exported_key.json")?;
let exported_key = ExportedKey::from_json(&json_str)?;
// Import the key
let imported_id = target_store.import_key(&exported_key, b"export-password")?;
println!("Imported key with ID: {}", imported_id);
Backup/Restore (v0.2.0)
use rust_keyvault::backup::{BackupConfig, VaultBackup};
// Configure backup options
let backup_config = BackupConfig {
include_audit_logs: true,
compress: true,
encryption_password: b"backup-password".to_vec(),
comment: Some("Production backup".to_string()),
};
// Create encrypted backup
let backup = store.backup(b"backup-password", backup_config)?;
// Serialize to JSON and save
let backup_json = backup.to_json()?;
std::fs::write("vault.backup.json", &backup_json)?;
// Restore from backup
let backup_str = std::fs::read_to_string("vault.backup.json")?;
let backup = VaultBackup::from_json(&backup_str)?;
let mut restored_store = FileStore::new("./restored", config)?;
let restored_count = restored_store.restore(&backup, b"backup-password")?;
println!("Restored {} keys", restored_count);
Performance
Benchmarks run on AMD Ryzen 9 5950X (3.4 GHz base):
| Operation | Time | Throughput |
|---|---|---|
| Key Generation (ChaCha20) | ~2.4 µs | ~416k keys/sec |
| Key Generation (AES-256) | ~2.1 µs | ~476k keys/sec |
| MemoryStore (retrieve) | ~500 ns | ~2M ops/sec |
| FileStore (store) | ~5-10 ms | ~100-200 ops/sec |
| Vault Backup (compressed) | ~8 ms | ~125 backups/sec |
| Key Export (encrypted) | ~65 ms | ~15 exports/sec |
Full benchmark suite: cargo bench
Architecture
┌─────────────────┐
│ Applications │
└─────────────────┘
│
┌─────────────────────────────────────────┐
│ Core Key Management Layer │
│ ┌─────────────┐ ┌────────────────┐ │
│ │ KeyStore │ │ EncryptedStore │ │
│ │ Traits │ │ Traits │ │
│ └─────────────┘ └────────────────┘ │
│ ┌─────────────┐ ┌────────────────┐ │
│ │ MemoryStore │ │ FileStore │ │
│ │ (Testing) │ │ (Production) │ │
│ └─────────────┘ └────────────────┘ │
└─────────────────────────────────────────┘
│
┌─────────────────────────────────────────┐
│ Import/Export & Backup Layer │
│ ┌─────────────┐ ┌────────────────┐ │
│ │ Key Export │ │ Vault Backup │ │
│ │ (Encrypted) │ │ (Compressed) │ │
│ └─────────────┘ └────────────────┘ │
└─────────────────────────────────────────┘
│
┌─────────────────────────────────────────┐
│ Cryptographic Primitives │
│ ┌─────────────┐ ┌────────────────┐ │
│ │ AEAD Crypto │ │ Argon2 KDF │ │
│ │ ChaCha/AES │ │ Derivation │ │
│ └─────────────┘ └────────────────┘ │
│ ┌─────────────┐ ┌────────────────┐ │
│ │ HKDF/HMAC │ │ Zeroization │ │
│ │ Derivation │ │ Memory Safe │ │
│ └─────────────┘ └────────────────┘ │
└─────────────────────────────────────────┘
Security Features
- Modern Cryptography: ChaCha20-Poly1305, XChaCha20-Poly1305, AES-256-GCM AEAD
- Memory Safety: Automatic secret zeroization with
zeroizecrate - Key Derivation: Argon2id (64 MiB memory, t=4) password-based KDF
- HKDF: HMAC-SHA256 based key derivation for domain separation
- Authenticated Encryption: Built-in integrity protection with HMAC-SHA256
- Constant-Time Operations: Timing-attack resistant key comparisons
- Secure Random: ChaCha20-based CSPRNG for all random generation
Documentation
- API Documentation
- Usage Examples
- Security Policy - Threat model, security guarantees, best practices
- Changelog - Version history and release notes
Testing
Run the test suite:
# All tests
cargo test --all-features
# Integration tests
cargo test --test '*'
# Benchmarks
cargo bench
Contributing
Contributions are welcome! Please read our security policy in SECURITY.md before submitting changes.
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT License (LICENSE-MIT)
at your option.