Struct EncryptedBlobStore 

pub struct EncryptedBlobStore { /* private fields */ }

Encrypted blob store that uses epoch-scoped keys for encryption.

Blobs are encrypted with the active epoch’s key at insertion time. The epoch ID, nonce, and AAD are recorded in BlobInfo so the correct key can be resolved at decryption time.

If the epoch has expired or is missing, decryption fails closed.

Implementations

impl EncryptedBlobStore

pub fn new(key_manager: KeyEpochManager) -> Self

Create a new blob store backed by the given key manager.

pub fn put( &mut self, blob_id: BlobId, plaintext: &[u8], ) -> Result<BlobInfo, SecureStoreError>

Encrypt plaintext with the active epoch key and store it.

Returns the BlobInfo needed to later decrypt the blob.

Errors

• SecureStoreError::NoActiveEpoch if no epoch is active.
• SecureStoreError::CryptoError if encryption fails.

pub fn get(&self, blob_info: &BlobInfo) -> Result<Vec<u8>, SecureStoreError>

Decrypt and return the plaintext for a previously stored blob.

The blob_info provides the epoch ID, nonce, and AAD needed for decryption. The epoch’s key must still be available (not expired).

Errors

• SecureStoreError::EpochExpired if the epoch has expired.
• SecureStoreError::EpochNotFound if the epoch does not exist.
• SecureStoreError::StorageError if the blob is not found.
• SecureStoreError::CryptoError if decryption fails.

pub fn remove(&mut self, blob_id: &BlobId) -> Result<(), SecureStoreError>

Remove a blob from the store.

Errors

• SecureStoreError::StorageError if the blob does not exist.

pub fn key_manager(&self) -> &KeyEpochManager

Access the underlying key manager.

pub fn key_manager_mut(&mut self) -> &mut KeyEpochManager

Mutable access to the underlying key manager (for rotation/expiry).