{"id":51514754,"url":"https://github.com/jamesgober/key-vault","last_synced_at":"2026-07-08T10:01:45.560Z","repository":{"id":358906504,"uuid":"1243489314","full_name":"jamesgober/key-vault","owner":"jamesgober","description":"Enterprise-grade key management vault for Rust. 9-layer defense-in-depth: fragmentation, decoy bytes, codex transform, mlock + zeroize, constant-time ops, security monitoring. Pluggable key fetchers (TPM, keychain, file, env). Sub-microsecond access. REPS-compliant.","archived":false,"fork":false,"pushed_at":"2026-05-19T14:19:24.000Z","size":73,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-19T17:23:12.334Z","etag":null,"topics":["cryptography","encryption","key-management","keychain","keys","reps","rust","secure","security","vault"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jamesgober.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-19T11:44:03.000Z","updated_at":"2026-05-19T14:32:16.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jamesgober/key-vault","commit_stats":null,"previous_names":["jamesgober/key-vault"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jamesgober/key-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamesgober%2Fkey-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamesgober%2Fkey-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamesgober%2Fkey-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamesgober%2Fkey-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jamesgober","download_url":"https://codeload.github.com/jamesgober/key-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jamesgober%2Fkey-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35260671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","encryption","key-management","keychain","keys","reps","rust","secure","security","vault"],"created_at":"2026-07-08T10:01:44.646Z","updated_at":"2026-07-08T10:01:45.545Z","avatar_url":"https://github.com/jamesgober.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n    \u003cimg width=\"99\" alt=\"Rust logo\" src=\"https://raw.githubusercontent.com/jamesgober/rust-collection/72baabd71f00e14aa9184efcb16fa3deddda3a0a/assets/rust-logo.svg\"\u003e\n    \u003cbr\u003e\n    \u003cb\u003ekey-vault\u003c/b\u003e\n    \u003cbr\u003e\n    \u003csub\u003e\n        \u003csup\u003eENTERPRISE-GRADE KEY MANAGEMENT VAULT\u003c/sup\u003e\n    \u003c/sub\u003e\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://crates.io/crates/key-vault\"\u003e\u003cimg src=\"https://img.shields.io/crates/v/key-vault.svg\" alt=\"Crates.io\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://crates.io/crates/key-vault\"\u003e\u003cimg alt=\"downloads\" src=\"https://img.shields.io/crates/d/key-vault?color=%230099ff\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://docs.rs/key-vault\"\u003e\u003cimg src=\"https://docs.rs/key-vault/badge.svg\" alt=\"Documentation\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/jamesgober/key-vault/actions/workflows/ci.yml\"\u003e\u003cimg alt=\"CI\" src=\"https://github.com/jamesgober/key-vault/actions/workflows/ci.yml/badge.svg\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/rust-lang/rfcs/blob/master/text/2495-min-rust-version.md\" title=\"MSRV\"\u003e\u003cimg alt=\"MSRV\" src=\"https://img.shields.io/badge/MSRV-1.85%2B-blue\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003cb\u003e9-Layer Defense-in-Depth In-Memory Key Storage for Rust\u003c/b\u003e\n    \u003cbr\u003e\n    \u003ci\u003eFragmentation + decoy bytes + codex transform + mlock + zeroize + constant-time + monitoring + audit + page protection.\u003c/i\u003e\n\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cp\u003e\n    \u003cstrong\u003ekey-vault\u003c/strong\u003e is an enterprise-grade key management vault built to keep cryptographic key material safe in memory while your application is running. Built from the ground up with a \u003cb\u003e9-layer defense-in-depth philosophy\u003c/b\u003e, it combines hardware-rooted acquisition, memory page locking, fragmentation with self-referential decoy bytes, codex transformation, zero-on-drop, constant-time operations, security event monitoring, and audit logging to make memory-resident keys hard to extract via memory analysis, scraping, or forensic recovery.\n\u003c/p\u003e\n\n\u003cp\u003e\n    Unlike libraries that hand you a \u003ccode\u003eVec\u0026lt;u8\u0026gt;\u003c/code\u003e and trust you not to leak it, \u003cstrong\u003ekey-vault\u003c/strong\u003e wraps key material in opaque \u003ccode\u003eKeyHandle\u003c/code\u003e references. The actual bytes never live contiguously in memory after the vault initializes; they're split into variable-size fragments scattered across non-contiguous mlock'd allocations, interleaved with self-referential decoy bytes that statistically match the key's entropy profile, optionally transformed through a codex layer, and reassembled only when explicitly requested in protected scopes. The temporary contiguous copy auto-zeroizes when dropped.\n\u003c/p\u003e\n\n\u003cp\u003e\n    \u003cstrong\u003ekey-vault\u003c/strong\u003e ships with multiple \u003cb\u003efragment strategies\u003c/b\u003e (standard, interleaved, random, layered composition), \u003cb\u003edecoy strategies\u003c/b\u003e (random, self-referential, key-derived), pluggable \u003cb\u003ekey fetchers\u003c/b\u003e (TPM 2.0 hardware, OS keychains, encrypted files, environment variables), and an \u003cb\u003eextensible security monitor\u003c/b\u003e for failure detection and anomaly alerting. Master key recovery, atomic key rotation, multi-key vaults, and \u003cb\u003eTEE detection\u003c/b\u003e are built in. \u003cb\u003ePost-quantum\u003c/b\u003e safe symmetric defaults (256-bit minimum) future-proof you against the next decade of cryptographic landscape changes.\n\u003c/p\u003e\n\n\n\u003chr\u003e\n\u003cbr\u003e\n\n\n\n## 9-Layer Defense Architecture\n\nThe complete defense stack:\n\n| Layer | Defense | Defends Against |\n|-------|---------|-----------------|\n| **1** | **Secure Acquisition** (TPM, Keychain, etc.) | Untrusted key sources |\n| **2** | **Memory Page Locking** (mlock / VirtualLock) | Swap files, hibernation |\n| **3** | **Fragment Strategy** (variable chunks, shuffle) | Pattern recognition, memory scraping |\n| **4** | **Decoy Bytes** (self-referential filler) | Entropy/frequency analysis |\n| **5** | **Codex Transformation** (byte swap) | Memory dump analysis |\n| **6** | **Constant-Time Operations** | Timing side-channels |\n| **7** | **Zero-On-Drop** | Use-after-free leakage |\n| **8** | **Security Monitor** (failure detection) | Brute-force, anomalous access |\n| **9** | **Audit Logging** | Forensic trail, compliance |\n| **10** | (Bonus) Page Protection Toggling | Snapshot attacks |\n\n**Full details:** see [docs/SECURITY.md](docs/SECURITY.md) for the comprehensive security architecture.\n\n**Visual walkthrough:** see [docs/TRANSFORMATION.md](docs/TRANSFORMATION.md) for a step-by-step trace of what happens to a key as it passes through all the layers.\n\n\u003cbr\u003e\n\n### Performance targets (1.0 design — verified in 0.10.0)\n\nMeasured numbers from the reference machine (see [docs/PERFORMANCE.md](docs/PERFORMANCE.md) for methodology and the full result tables):\n\n| Target | Measured | Status |\n|--------|----------|--------|\n| Vault construction (empty) | ~165 ns | ✅ |\n| `with_key` defrag, no codex, 16/32/64/256 B | 31 / 39 / 51 / 147 ns | ✅ all under 500 ns |\n| `with_key` defrag, with codex, 16/32/64/256 B | 48 / 72 / 126 / 439 ns | ✅ all under 1 µs |\n| Concurrent reads, 1 → 64 threads | scales out, no contention | ✅ lock-free |\n| Memory overhead per key (Linux 1000-key RSS) | ~5 KiB | ✅ under 16 KiB |\n| Allocations per `with_key` (default `NoAudit`) | **0** (dhat-measured over 100k iterations) | ✅ zero-alloc hot path |\n\nRun `cargo bench --all-features` to reproduce on your hardware.\n\n\n\u003cbr\u003e\n\n\n## Quick start\n\n```toml\n[dependencies]\nkey-vault = \"1.0\"\n```\n\n```rust\nuse key_vault::{DynamicCodex, KeyVaultBuilder, RawKey, SelfReferenceDecoy};\nuse key_vault::tee::detect_tee_capabilities;\n\n// Build a vault with the full default stack: Layer 2 (mlock/VirtualLock)\n// + Layer 3 (StandardFragmenter) + Layer 4 (SelfReferenceDecoy — the\n// strongest decoy) + Layer 5 (per-vault DynamicCodex involution)\n// + Layer 6 (ConstantTimeEq) + Layer 7 (zero-on-drop).\nlet vault = KeyVaultBuilder::new()\n    .normalize_with_blake3(true) // default\n    .with_codex(DynamicCodex::new().expect(\"codex\"))\n    .with_decoy(SelfReferenceDecoy)\n    .build();\n\n// Hand the vault some key material and get back an opaque, scattered,\n// mlock'd, zeroed-on-drop representation with decoy chunks mixed in.\nlet raw = RawKey::new(b\"my application key\".to_vec());\nlet frags = vault.fragment(\u0026raw).expect(\"fragment\");\n\n// Reassemble when you need to use it. With BLAKE3 normalization on,\n// the recovered bytes are the 32-byte hash of the input.\nlet recovered = vault.defragment(\u0026frags).expect(\"defragment\");\nassert_eq!(recovered.len(), 32);\n\n// Snapshot the host's TEE capabilities at startup:\nlet caps = detect_tee_capabilities();\nprintln!(\"{caps}\");\n```\n\n\u003chr\u003e\n\n\n## Threat model\n\nkey-vault is designed to defend against:\n\n- **Memory scraping by attackers with read access** — malware, forensic tools\n- **Forensic memory analysis** — swap files, hibernation files, crash dumps\n- **Statistical pattern recognition** — entropy analysis, frequency analysis\n- **Use-after-free leakage** — keys persisting after they should have been wiped\n- **Brute-force decryption attempts** — failed attempts trigger alerts\n- **Timing side-channels** — constant-time operations\n- **Insider threats / forensic compliance** — full audit trail\n\nIt does NOT defend against:\n\n- **Code execution within your process** — an attacker who can call your reassembly logic\n- **Hardware-level memory access (DMA attacks)** — use IOMMU + hardware mitigations\n- **Cold-boot attacks** — use full disk encryption + power-down protocol\n- **Side-channel attacks on cryptographic operations** — that's crypt-io's job\n- **Quantum computer attacks on asymmetric crypto** — use post-quantum algorithms (symmetric defaults are PQ-safe)\n\nSee [docs/SECURITY.md](docs/SECURITY.md) for the full threat model.\n\n---\n\n## Documentation\n\n- **[docs/API.md](docs/API.md)** — Full public-API reference (every type, function, and method with examples)\n- **[docs/SECURITY.md](docs/SECURITY.md)** — Comprehensive 9-layer security architecture\n- **[docs/TRANSFORMATION.md](docs/TRANSFORMATION.md)** — Visual walkthrough of key transformation\n- **[docs/release/](docs/release/)** — Per-version release notes\n- **[CHANGELOG.md](CHANGELOG.md)** — Full change log (Keep a Changelog format)\n\n---\n\n## Standards\n\n- **REPS** (Rust Efficiency \u0026 Performance Standards) governs every decision. See [REPS.md](REPS.md).\n- **MSRV:** Rust 1.85.\n- **Edition:** 2024.\n- **Cross-platform:** Linux, macOS, Windows.\n\n---\n\n## License\n\nDual-licensed under either of:\n\n- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE))\n- MIT License ([LICENSE-MIT](LICENSE-MIT))\n\nat your option.\n\n### Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.\n\n\n\n\u003c!-- FOOT COPYRIGHT\n################################################# --\u003e\n\u003cdiv align=\"center\"\u003e\n  \u003ch2\u003e\u003c/h2\u003e\n  \u003csup\u003eCOPYRIGHT \u003csmall\u003e\u0026copy;\u003c/small\u003e 2026 \u003cstrong\u003eJAMES GOBER.\u003c/strong\u003e\u003c/sup\u003e\n\u003c/div\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamesgober%2Fkey-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjamesgober%2Fkey-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjamesgober%2Fkey-vault/lists"}