Signet Forge 0.1.1
C++20 Parquet library with AI-native extensions
 DEMO
Loading...
Searching...
No Matches
Classes | Public Member Functions | List of all members
signet::forge::crypto::LocalKeyStore Class Reference

File-based local key store for on-premise deployments. More...

#include <kms_local.hpp>

Inheritance diagram for signet::forge::crypto::LocalKeyStore:
signet::forge::crypto::IKmsClient

Classes

struct  Config
 

Public Member Functions

 LocalKeyStore (Config config)
 Construct a LocalKeyStore from configuration.
 
 ~LocalKeyStore () override
 
 LocalKeyStore (const LocalKeyStore &)=delete
 
LocalKeyStoreoperator= (const LocalKeyStore &)=delete
 
expected< std::vector< uint8_t > > wrap_key (const std::vector< uint8_t > &dek, const std::string &key_id) const override
 Wrap (encrypt) a DEK under the master key identified by key_id.
 
expected< std::vector< uint8_t > > unwrap_key (const std::vector< uint8_t > &wrapped_dek, const std::string &key_id) const override
 Unwrap (decrypt) a wrapped DEK using the master key identified by key_id.
 
expected< std::string > generate_key (const std::string &key_id)
 Generate a new AES-256 master key and store it under key_id.
 
expected< void > destroy_key (const std::string &key_id)
 Destroy a master key (crypto-shredding for GDPR Art. 17).
 
bool has_key (const std::string &key_id) const
 Check if a key exists in the store (cached or on disk).
 
- Public Member Functions inherited from signet::forge::crypto::IKmsClient
virtual ~IKmsClient ()=default
 

Detailed Description

File-based local key store for on-premise deployments.

Wraps master keys under a passphrase-derived KEK and stores them on the local filesystem. Suitable for air-gapped or single-machine deployments where cloud KMS is not available.

Thread safety: All public methods are protected by a mutable mutex.

Usage:

auto store = std::make_shared<LocalKeyStore>(LocalKeyStore::Config{
.keystore_path = "/home/user/.signet/keystore",
.passphrase = "my-secure-passphrase"
});
// Generate a master key
store->generate_key("master-001");
// Use as IKmsClient
config.kms_client = store;
signet::forge::crypto::LocalKeyStore::Config::keystore_path
std::string keystore_path
Directory path (e.g. ~/.signet/keystore)
Definition kms_local.hpp:75

Definition at line 72 of file kms_local.hpp.

Constructor & Destructor Documentation

◆ LocalKeyStore() [1/2]

signet::forge::crypto::LocalKeyStore::LocalKeyStore ( Config  config)
inlineexplicit

Construct a LocalKeyStore from configuration.

Definition at line 85 of file kms_local.hpp.

◆ ~LocalKeyStore()

signet::forge::crypto::LocalKeyStore::~LocalKeyStore ( )
inlineoverride

Definition at line 91 of file kms_local.hpp.

◆ LocalKeyStore() [2/2]

signet::forge::crypto::LocalKeyStore::LocalKeyStore ( const LocalKeyStore )
delete

Member Function Documentation

◆ destroy_key()

expected< void > signet::forge::crypto::LocalKeyStore::destroy_key ( const std::string &  key_id)
inline

Destroy a master key (crypto-shredding for GDPR Art. 17).

Definition at line 160 of file kms_local.hpp.

◆ generate_key()

expected< std::string > signet::forge::crypto::LocalKeyStore::generate_key ( const std::string &  key_id)
inline

Generate a new AES-256 master key and store it under key_id.

Definition at line 145 of file kms_local.hpp.

◆ has_key()

bool signet::forge::crypto::LocalKeyStore::has_key ( const std::string &  key_id) const
inline

Check if a key exists in the store (cached or on disk).

Definition at line 176 of file kms_local.hpp.

◆ operator=()

LocalKeyStore & signet::forge::crypto::LocalKeyStore::operator= ( const LocalKeyStore )
delete

◆ unwrap_key()

expected< std::vector< uint8_t > > signet::forge::crypto::LocalKeyStore::unwrap_key ( const std::vector< uint8_t > &  wrapped_dek,
const std::string &  key_id 
) const
inlineoverridevirtual

Unwrap (decrypt) a wrapped DEK using the master key identified by key_id.

Implements signet::forge::crypto::IKmsClient.

Definition at line 124 of file kms_local.hpp.

◆ wrap_key()

expected< std::vector< uint8_t > > signet::forge::crypto::LocalKeyStore::wrap_key ( const std::vector< uint8_t > &  dek,
const std::string &  key_id 
) const
inlineoverridevirtual

Wrap (encrypt) a DEK under the master key identified by key_id.

Implements signet::forge::crypto::IKmsClient.

Definition at line 105 of file kms_local.hpp.

The documentation for this class was generated from the following file: