tasks: mark vault/key-versioning-rotation completed
This commit is contained in:
@@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
id: vault/key-versioning-rotation
|
id: vault/key-versioning-rotation
|
||||||
name: Implement version-indexed encryption key paths, bump CURRENT_KEY_VERSION to 2, and add rotate method
|
name: Implement version-indexed encryption key paths, bump CURRENT_KEY_VERSION to 2, and add rotate method
|
||||||
status: pending
|
status: completed
|
||||||
depends_on: [vault/irpc-removal]
|
depends_on: [vault/irpc-removal]
|
||||||
scope: moderate
|
scope: moderate
|
||||||
risk: medium
|
risk: medium
|
||||||
@@ -124,4 +124,11 @@ decrypt, rotate, derive_encryption_key_for_version), and possibly `derivation.rs
|
|||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
> To be filled on completion
|
Bumped `CURRENT_KEY_VERSION` to 2 (HD-derived per ADR-020). Added
|
||||||
|
`encryption_path_for_version` in derivation.rs (v2 → `m/74'/2'/0'/0'`, v3 →
|
||||||
|
`m/74'/2'/0'/1'`, rejects version < 2). Added `derive_encryption_key_for_version`
|
||||||
|
+ version-aware `encrypt`/`decrypt` + `rotate` method on `VaultServiceHandle`
|
||||||
|
(ADR-021). Each version maps to a distinct derivation path; the blob carries
|
||||||
|
its own version. 68 lib + 14 integration tests pass; clippy clean. Merged to
|
||||||
|
develop (resolved conflicts with remove-password-derivation and
|
||||||
|
poisoned-lock-recovery).
|
||||||
Reference in New Issue
Block a user