barrel_keyprovider behaviour (barrel_crypto v1.0.0)
View SourceKey provider behaviour and dispatcher for Barrel encryption at rest.
A provider maps a database KEYSPACE to a 256-bit key. The keyspace is the identity data is stored under: a timeline branch shares its parent's keyspace, so it resolves the parent's key and can read the checkpointed ciphertext. One logical database resolves one key across all of its stores.
Callers carry an encryption spec, runtime config supplied at each open:
disabled: no encryption (the default)default: the built-inbarrel_keyprovider_envprovider (BARREL_ENCRYPTION_KEY)#{provider := Mod}: a module implementing this behaviour, for KMS or token-derived keys
Resolution is fail closed: a provider error fails the database open.
Summary
Functions
Resolve the key for a keyspace under the given spec. disabled resolves to the atom plaintext; providers must return a 32-byte key. Error terms never carry key material.
Types
-type spec() :: disabled | default | #{provider := module(), _ => _}.