api_key_encryption

API Key Encryption Module

Per-user AES-256-GCM encryption for API keys. Encryption keys are stored in a dedicated SQLite database, protected by a master KEK from environment.

api_key_encryption.ENCRYPTED_PREFIX = 'v2:'

Prefix for encrypted values in Redis. Values without this are legacy plaintext.

async api_key_encryption.get_or_create_user_key(user_id, sqlite_path, master_key)[source]

Load or generate per-user 32-byte key; persist encrypted in SQLite.

Return type:

bytes

Parameters:
api_key_encryption.encrypt(plaintext, key)[source]

AES-256-GCM encrypt with random nonce; return base64 string with v2 prefix.

Return type:

str

Parameters:
api_key_encryption.decrypt(ciphertext, key)[source]

Decrypt base64-encoded ciphertext (with optional v2 prefix).

Return type:

str

Parameters:
api_key_encryption.get_pool_key(master_key)[source]

Derive pool encryption key via PBKDF2-HMAC-SHA256.

Return type:

bytes

Parameters:

master_key (bytes)

api_key_encryption.resolve_master_key()[source]

Load master KEK from API_KEY_MASTER_KEY env var (base64, 32 bytes).

Return type:

bytes | None

api_key_encryption.is_encrypted(value)[source]

Return True if value has the encrypted prefix.

Return type:

bool

Parameters:

value (str)

api_key_encryption.api_key_hash(api_key)[source]

SHA-256 hex digest for pool lookup (deterministic, avoids storing plaintext as key).

Return type:

str

Parameters:

api_key (str)