barrel_keyprovider_env (barrel_crypto v1.0.0)
View SourceBuilt-in key provider: per-database keys from one master secret in the environment.
Master secret sources, first hit wins: the BARREL_ENCRYPTION_KEY environment variable, then the {barrel_crypto, encryption_key} application config. Accepted forms: 32 raw bytes (used as key material directly), 64 hex characters (decoded first), anything else is a passphrase. In every form the per-database key is HKDF-SHA256(master, salt, <<"barrel_db:", Keyspace>>): one secret yields a distinct key per database, and a branch derives its parent's key because it shares the parent's keyspace.