Skip to main content

pd_cipher::keys::providers::filesystem

File system-based key storage provider implementation. File system key provider implementation.

Provides persistent key storage using the local file system for development and testing scenarios. Not suitable for production use.

Structs

FileSystemKeyProvider

File system key provider for persistent storage.

FileSystemKeyProvider stores keys as individual files in a specified directory, with each key encrypted using a master key or password. This provider is intended for development and testing only, not for production use.

Security Considerations

WARNING: This provider is for development and testing only. Keys are stored as plaintext JSON files on disk. For production systems, use a proper key management service (KMS), hardware security module (HSM), or secure vault solution that provides encryption at rest, access control, and audit logging.

  • Keys are stored as individual files in the specified directory
  • File permissions should be set to restrict access (600 or 640)
  • Consider using full disk encryption for additional protection
  • Directory should be on a secure, backed-up file system
  • Atomic writes ensure consistency during updates

File Structure

key_directory/
├── metadata.json          # Provider metadata
├── key1.json             # Individual key files
├── key2.json
└── ...

Examples

Basic Usage

use pd_cipher::keys::providers::{KeyProvider, filesystem::FileSystemKeyProvider};
use pd_cipher::keys::EncryptionAlgorithm;
use std::path::Path;

# fn example() -> pd_cipher::Result<()> {
let mut provider = FileSystemKeyProvider::new(Path::new("./keys"))?;

// Generate and store a key
let key = provider.generate_key(EncryptionAlgorithm::Aes256Gcm)?;
let key_id = provider.store_key("production-key", key, Some("Main encryption key".to_string()))?;

// Load the key back
let loaded_key = provider.load_key(&key_id)?;
# Ok(())
# }

With Custom Permissions

use pd_cipher::keys::providers::filesystem::FileSystemKeyProvider;
use std::path::Path;

# fn example() -> pd_cipher::Result<()> {
let mut provider = FileSystemKeyProvider::new(Path::new("./secure-keys"))?;
provider.set_file_permissions(0o600)?; // Owner read/write only
# Ok(())
# }
pub struct FileSystemKeyProvider