Expand description
§Encryption of the private meta-post section
The private half of a crate::client::meta_post::meta_post::MetaPostV1
(feedback thresholds, warning toggles, anything the account holder doesn’t want
public) is symmetric-encrypted with a key derived from the account’s own private
signing key: sig = sign(signature_key, constant) then key = blake3(sig).
Because signing requires the private key, only the account holder can recover the
symmetric key; because the key is deterministic, every device that unlocks the same
crate::tools::keys::Keys derives the same key and can read/write the same
private section. No key exchange, no on-network secrets.
The encrypt_private_section / decrypt_private_section pair here is the only
place this derivation happens.
Functions§
- decrypt_
private_ section - Decrypt a hex-encoded string back into a
MetaPostPrivateV1. - derive_
meta_ post_ encryption_ key - Derive a 32-byte symmetric encryption key by signing a well-known constant concatenated with the provided salt, then hashing the signature with blake3.
- encrypt_
private_ section - Encrypt a
MetaPostPrivateV1into a hex-encoded string.