# ADR-026: Application-managed key ring

## Status

Accepted

## Context

Encryption keys need management — storage, rotation, version tracking. The storage package could manage key rings internally or leave this to the consuming application.

## Decision

The storage package provides `encrypt()`, `decrypt()`, and `generateEncryptionKey()` but does NOT manage the key ring. The consuming application stores keys in a secure location, loads them at startup, and passes the appropriate key based on `keyVersion`. Key rotation (decrypt with old key, re-encrypt with current key) is an application-level workflow.

## Consequences

- Storage package doesn't need to know about deployment infrastructure
- Key management policies are application-specific
- Encryption primitives are testable without a key ring implementation
- Key rotation is an application concern, not a storage concern

## References

- [encrypted-data.md](../encrypted-data.md)