Skip to main content

Module keychain

brows3r_lib::profiles

Module keychain 

Source
Expand description

OS keychain integration with encrypted-file fallback.

§Architecture

KeychainBackend is a trait with three operations: set, get, delete. Three concrete implementations live here:

  • KeyringBackend — wraps the keyring crate; active on macOS (Keychain), Windows (Credential Manager), and Linux (Secret Service).
  • FileBackend — AES-256-GCM encrypted secrets.enc sidecar; used when KeyringBackend init fails (headless Linux, CI, locked DBus). Passphrase is supplied by the caller; prompting the user is deferred to the Credential Manager UI in task 18.
  • StubBackend — in-memory HashMap for unit tests; gated behind the test-keyring-stub cargo feature.

§OCP contract

Adding a new backend (e.g. OnePasswordBackend) requires only:

  1. A new struct implementing KeychainBackend.
  2. Optionally, extending select_backend to return it. No existing code changes.

§Security contract

Secret carries #[serde(skip_serializing)] on every field so it can never be emitted across Tauri IPC by accident. Fields are zeroed in memory on drop via [zeroize::ZeroizeOnDrop].

Internal storage (keyring JSON blob, FileBackend map) uses StoredSecret, a private mirror that CAN serialize all fields. The two structs are intentionally separate to enforce the IPC-safe contract on Secret.

Structs§

FileBackend 🔒
Passphrase-encrypted file-based fallback for environments where the OS keychain is unavailable.
FileBackendWithPassphrase
Public file-based keychain backend.
KeyringBackend
Wraps the [keyring] crate to store one entry per profile.
Secret
AWS / provider credentials stored by a profile.
StoredSecret 🔒
Private mirror of Secret used for serialization inside storage backends. All fields are serialized normally. Never exposed over IPC.

Traits§

KeychainBackend
Backend-agnostic interface for persisting and retrieving credential secrets keyed by profile ID.

Functions§

decrypt_file 🔒
Decrypt a secrets.enc file and return the stored map.
derive_key 🔒
Derive a 32-byte AES-256-GCM key from passphrase using Argon2id.
select_backend
Select the best available keychain backend at runtime.