barrel_keyprovider_env (barrel_crypto v1.0.0)

View Source

Built-in key provider: per-database keys from one master secret in the environment.

Master secret sources, first hit wins: the BARREL_ENCRYPTION_KEY environment variable, then the {barrel_crypto, encryption_key} application config. Accepted forms: 32 raw bytes (used as key material directly), 64 hex characters (decoded first), anything else is a passphrase. In every form the per-database key is HKDF-SHA256(master, salt, <<"barrel_db:", Keyspace>>): one secret yields a distinct key per database, and a branch derives its parent's key because it shares the parent's keyspace.

Summary

Functions

key_for_db(Keyspace)

-spec key_for_db(binary()) -> {ok, binary()} | {error, term()}.