ETS-backed in-memory vault using AES-256-GCM encryption.

Suitable for development, testing, and single-node deployments. Entries live in a private ETS table owned by the vault process and are lost when it stops — no entry survives a restart, with or without a configured master key. For durable secrets, implement SigilGuard.Vault against persistent storage.

Usage

# Start the vault (automatically creates ETS table)
{:ok, _pid} = SigilGuard.Vault.InMemory.start_link([])

# Store a secret
{:ok, vault_id} = SigilGuard.Vault.InMemory.encrypt("my-secret", "API key")

# Retrieve it
{:ok, "my-secret"} = SigilGuard.Vault.InMemory.decrypt(vault_id)

Encryption

Each entry is encrypted with AES-256-GCM using a per-entry random IV. The key is taken from the :master_key start option, then the :vault_master_key application env (base64-encoded 32 bytes), and otherwise randomly generated at startup:

config :sigil_guard, :vault_master_key, "base64-encoded-32-byte-key"

A configured key gives you stable key material across restarts; it does not make the (in-memory) entries themselves persistent.

Process Model

start_link/1 registers a singleton GenServer under SigilGuard.Vault.InMemory — one vault per node. Supervise it in your application's tree; the SigilGuard.Vault callbacks exit if it is not running.