Raxol.Security.Encryption.KeyManager (Raxol v2.0.1)

View Source

Manages encryption keys for at-rest data encryption.

This module provides secure key generation, storage, rotation, and retrieval for encrypting sensitive data. It supports multiple encryption algorithms and key derivation functions.

Features

  • Master key encryption with key derivation
  • Data encryption keys (DEK) with automatic rotation
  • Key encryption keys (KEK) for wrapping DEKs
  • Hardware Security Module (HSM) support
  • Key versioning and migration
  • Audit logging for all key operations

Summary

Types

algorithm()
encryption_key()
key_id()
key_type()
key_version()

Functions

child_spec(init_arg)

Returns a specification to start this module under a supervisor.

decrypt(key_id, ciphertext, version, opts \\ [], key_manager \\ __MODULE__)

Decrypts data using the specified key.

delete_key(key_manager \\ __MODULE__, key_id)

Deletes a key (marks as deleted, doesn't remove).

encrypt(key_id, plaintext, opts \\ [], key_manager \\ __MODULE__)

Encrypts data using the specified key.

generate_dek(key_manager \\ __MODULE__, purpose, opts \\ [])

Generates a new data encryption key.

get_key(key_id, version \\ :latest, key_manager \\ __MODULE__)

Gets an encryption key by ID and version.

get_key_metadata(key_manager \\ __MODULE__, key_id)

Gets key metadata without the actual key material.

handle_manager_cast(msg, state)

Callback implementation for Raxol.Core.Behaviours.BaseManager.handle_manager_cast/2.

list_keys(key_manager \\ __MODULE__)

Lists all managed keys (metadata only).

reencrypt(key_manager \\ __MODULE__, key_id, ciphertext, old_version)

Re-encrypts data with a new key version.

rotate_key(key_id, key_manager \\ __MODULE__)

Rotates a key to a new version.

start_link(init_opts \\ [])
unwrap_key(key_manager \\ __MODULE__, wrapped_dek, kek_id)

Unwraps a DEK using a KEK.

wrap_key(key_manager \\ __MODULE__, dek, kek_id)

Wraps a DEK with a KEK for secure storage.

Types

algorithm()

@type algorithm() :: :aes_256_gcm | :aes_256_cbc | :chacha20_poly1305 | :aes_256_ctr

encryption_key()

@type encryption_key() :: %{
  id: key_id(),
  version: key_version(),
  type: key_type(),
  algorithm: algorithm(),
  key_material: binary(),
  created_at: DateTime.t(),
  expires_at: DateTime.t() | nil,
  metadata: map()
}

key_id()

@type key_id() :: String.t()

key_type()

@type key_type() :: :master | :kek | :dek | :signing | :hmac

key_version()

@type key_version() :: pos_integer()

Functions

child_spec(init_arg)

Returns a specification to start this module under a supervisor.

See Supervisor.

decrypt(key_id, ciphertext, version, opts \\ [], key_manager \\ __MODULE__)

Decrypts data using the specified key.

delete_key(key_manager \\ __MODULE__, key_id)

Deletes a key (marks as deleted, doesn't remove).

encrypt(key_id, plaintext, opts \\ [], key_manager \\ __MODULE__)

Encrypts data using the specified key.

generate_dek(key_manager \\ __MODULE__, purpose, opts \\ [])

Generates a new data encryption key.

get_key(key_id, version \\ :latest, key_manager \\ __MODULE__)

Gets an encryption key by ID and version.

get_key_metadata(key_manager \\ __MODULE__, key_id)

Gets key metadata without the actual key material.

handle_manager_cast(msg, state)

Callback implementation for Raxol.Core.Behaviours.BaseManager.handle_manager_cast/2.

list_keys(key_manager \\ __MODULE__)

Lists all managed keys (metadata only).

reencrypt(key_manager \\ __MODULE__, key_id, ciphertext, old_version)

Re-encrypts data with a new key version.

rotate_key(key_id, key_manager \\ __MODULE__)

Rotates a key to a new version.

start_link(init_opts \\ [])

unwrap_key(key_manager \\ __MODULE__, wrapped_dek, kek_id)

Unwraps a DEK using a KEK.

wrap_key(key_manager \\ __MODULE__, dek, kek_id)

Wraps a DEK with a KEK for secure storage.