Encryption key management for MNEME databases. Handles Data Encryption Key (DEK) generation, wrapping, and unwrapping using Ed25519 SSH keys converted to X25519 for ECDH key agreement. Provides per-keyspace sub-key derivation and key slot serialization for multi-key access.
| Name | Signature |
|---|---|
pack_slots | pack_slots(slots) -> data |
unpack_slots | unpack_slots(data) -> slots, err |
fingerprint | fingerprint(ed25519_pk) -> fingerprint |
generate_dek | generate_dek() -> dek |
wrap_dek | wrap_dek(dek_raw, ed25519_pk) -> slot |
unwrap_dek | unwrap_dek(slots, ed25519_seed, ed25519_pk) -> dek, err |
derive_subkey | derive_subkey(dek, keyspace_name) -> subkey |
pack_slots(
slots) ->data
Serialize key slots to a binary blob
unpack_slots(
data) ->slots,err
Deserialize key slots from a binary blob
fingerprint(
ed25519_pk) ->fingerprint
Compute SHA-256 fingerprint of an Ed25519 public key
generate_dek() ->
dek
Generate a random Data Encryption Key
wrap_dek(
dek_raw,ed25519_pk) ->slot
Wrap a DEK for an Ed25519 public key
Seals the 32-byte raw DEK so that only the holder of the corresponding Ed25519 private key can recover it. Converts the public key to X25519, performs ECDH with an ephemeral keypair, derives a KEK via HKDF-SHA256, and encrypts the DEK with ChaCha20-Poly1305. Returns a key slot table with fields: fingerprint, ephemeral_pk, nonce, wrapped_dek, tag.
unwrap_dek(
slots,ed25519_seed,ed25519_pk) ->dek,err
Unwrap a DEK from key slots using an Ed25519 seed
Finds the key slot matching the given public key's fingerprint, then reverses the ECDH + HKDF + ChaCha20-Poly1305 wrapping to recover the DEK. Returns a secure mlock'd userdata holding the DEK, or nil and an error if no matching slot is found or decryption fails.
derive_subkey(
dek,keyspace_name) ->subkey
Derive a per-keyspace encryption sub-key from the DEK