Welcome to the comprehensive documentation for the Crypto module. This module provides a robust, security-first set of cryptographic primitives designed for standalone extraction and use.
- Architecture & Design Principles
- Password Hashing
- Reversible Encryption
- HKDF Key Derivation
- Key Rotation
- Security Model
The Crypto module is built on the following core principles:
- Security First: Defaults are secure. The module explicitly forbids weak algorithms or insecure configurations.
- Fail-Closed: Any error in a cryptographic operation (e.g., missing key, invalid ciphertext, tampering detection) results in an exception. There are no silent failures.
- Domain Separation: Extensive use of HKDF ensures that keys used for one purpose cannot be reused for another, limiting the blast radius of a potential key compromise.
- Stateless Operations: The module relies entirely on injected secrets and configuration. It does not maintain internal state or persist data.
- Explicit Configuration: Everything, from context strings to key versions, must be explicitly defined. Implicit behavior is avoided.