Expand description
§Secure Message Channel
AES-256-GCM + HMAC-SHA256 encrypted IPC channel with
automatic key rotation, replay protection, and a generic
SecureMessage::Struct<T> envelope for adding routing
headers. The Channel::Struct aggregator + giant impl
lives in Channel.rs (tightly-coupled cluster); the
per-key state, the encrypted-message DTO, the stats DTO,
and the secure-message wrapper each live in their own
sibling.
Modules§
- Channel
Channel::Struct- AES-256-GCM + HMAC-SHA256 secure message channel with automatic key rotation and replay protection. The struct + 18-method impl + Clone + utility impl stay in one file - tightly coupled cluster.- Encrypted
Message - Serialised encrypted-message envelope - key id (so decryption can find the right key during rotation), nonce, AES-256-GCM ciphertext, HMAC tag, and a millisecond timestamp used for replay-window enforcement.
- Encryption
Key - Wrapper around
ring::aead::LessSafeKeyplus metadata - creation timestamp, random key id, and a usage counter the channel bumps on each encrypt. Private constructors are exposed viapub(super)so the channel can manage rotation while keeping callers out of the raw key material. - Secure
Message - Generic encrypted-message wrapper carrying additional
routing headers and a protocol version. The phantom
Tis the original plaintext type; the wrapper itself serialises only the encrypted envelope + headers + version. - Security
Config - Tunables for the secure-message channel - encryption / HMAC algorithm, key-rotation cadence, nonce / tag sizes, and the maximum allowed message size (DOS guard).
- Security
Stats - Snapshot of the channel’s current key, age, usage count, number of retained previous keys, and the active config.