gemstone_utils.key_mgmt¶
KEK derivation, wrap/unwrap, passphrase loading, and rotation helpers.
- exception gemstone_utils.key_mgmt.KEKVerificationError(secret_name, last_updated_iso)[source]¶
Bases:
ValueErrorRaised when a derived KEK fails KEK-check decryption.
- gemstone_utils.key_mgmt.derive_and_verify_kek(passphrase, kdf_params, kek_check_record, last_updated=None)[source]¶
Derive a KEK and verify it against the KEK-check record.
- Parameters:
- Returns:
Verified KEK bytes.
- Raises:
KEKVerificationError – If the check blob does not decrypt correctly.
ValueError – If KDF params are invalid.
- Return type:
- gemstone_utils.key_mgmt.init(secret_name, check_plaintext, env_allowed=False, env_var_name=None)[source]¶
Configure module-level key management settings.
Must be called before
make_kek_check_record,verify_kek, orload_passphrase.- Parameters:
secret_name (str) – Name passed to
resolve_secret("secret:...").check_plaintext (bytes) – Fixed plaintext bytes encrypted into the KEK-check blob.
env_allowed (bool) – Whether to fall back to
env:when the secret mount fails.env_var_name (str | None) – Environment variable name for fallback (defaults to
secret_name).
- Return type:
None
- gemstone_utils.key_mgmt.load_keyctx(kek, record)[source]¶
Build a
KeyContextfrom a KEK and DEKKeyRecord.- Parameters:
- Returns:
KeyContextwith unwrapped key and metadata fromrecord.- Raises:
ValueError – If
recordis a KEK-check record.- Return type:
- gemstone_utils.key_mgmt.load_passphrase()[source]¶
Load the vault passphrase via
resolve_secret.Tries
secret:{SECRET_NAME}, thenenv:{ENV_VAR_NAME}whenENV_ALLOWEDis true.- Returns:
Passphrase string.
- Raises:
RuntimeError – If
init()was not called.ValueError – If neither configured source resolves.
- Return type:
- gemstone_utils.key_mgmt.make_kek_check_record(kek, alg='A256GCM')[source]¶
Build a KEK-check
KeyRecord(keyid is None).- Parameters:
- Returns:
KeyRecordwith encryptedCHECK_PLAINTEXTfrominit().- Raises:
RuntimeError – If
init()was not called.- Return type:
- gemstone_utils.key_mgmt.recommended_kdf_params(salt=None)[source]¶
Return params for the library’s current recommended KDF.
Today: PBKDF2-HMAC-SHA256 via
kdf.pbkdf2.recommended_pbkdf2_params.
- gemstone_utils.key_mgmt.reencrypt_keys(old_kek, new_kek, records, new_alg=None)[source]¶
Re-wrap DEK records under a new KEK.
- Parameters:
- Returns:
New
KeyRecordlist with updated ciphertext. KEK-check records (keyid is None) are skipped.- Return type:
- gemstone_utils.key_mgmt.rotate_kek(old_kek, new_kek, records, new_alg=None)[source]¶
Rotate KEK: rewrap DEKs and produce a new KEK-check record.
- Parameters:
- Returns:
Tuple
(new_kek_check_record, updated_dek_records).- Return type:
- gemstone_utils.key_mgmt.unwrap_key(kek, record)[source]¶
Decrypt a DEK from a wrapped
KeyRecord.- Parameters:
- Returns:
Unwrapped key bytes.
- Raises:
ValueError – If
recordis a KEK-check record.- Return type:
- gemstone_utils.key_mgmt.verify_kek(kek, record, last_updated=None)[source]¶
Verify that
kekdecrypts the KEK-check record.- Parameters:
- Raises:
ValueError – If
recordis not a KEK-check record.RuntimeError – If
init()was not called.KEKVerificationError – If decryption does not yield
CHECK_PLAINTEXT.
- Return type:
None