Module: LocalVault::Identity

Defined in:

lib/localvault/identity.rb

Overview

Manages the user’s X25519 identity keypair for vault sharing and sync.

The keypair is stored in ~/.localvault/keys/:

• identity.priv (mode 0600) — base64-encoded private key

• identity.pub (mode 0644) — base64-encoded public key

The public key is published to InventList so others can encrypt key slots for you. The private key never leaves the local machine.

Examples:

Identity.generate!
Identity.public_key       # => "base64..."
Identity.private_key_bytes # => 32 raw bytes
Identity.setup?           # => true (if keypair + token exist)

Class Method Summary

• .exists? ⇒ Boolean

  Check whether both key files exist on disk.

• .generate!(force: false) ⇒ Hash{Symbol => String}

  Generate a new X25519 identity keypair and write to disk.

• .priv_key_path ⇒ String

  Path to the private key file.

• .private_key_b64 ⇒ String^?

  Read the private key as a base64-encoded string.

• .private_key_bytes ⇒ String^?

  Read the private key as raw bytes (decoded from base64).

• .pub_key_path ⇒ String

  Path to the public key file.

• .public_key ⇒ String^?

  Read the public key as a base64-encoded string.

• .setup? ⇒ Boolean

  Check whether identity is fully configured (keypair exists and token is set).

Class Method Details

.exists? ⇒ Boolean

Check whether both key files exist on disk.

Returns:

• (Boolean) —

  true if both identity.priv and identity.pub exist

# File 'lib/localvault/identity.rb', line 33

def self.exists?
  File.exist?(priv_key_path) && File.exist?(pub_key_path)
end

.generate!(force: false) ⇒ Hash{Symbol => String}

Generate a new X25519 identity keypair and write to disk.

Parameters:

• force (Boolean) (defaults to: false) —

  overwrite an existing keypair if true

Returns:

• (Hash{Symbol => String}) —

  :public_key and :private_key as raw bytes

Raises:

• (RuntimeError) —

  when keypair exists and force is false

# File 'lib/localvault/identity.rb', line 42

def self.generate!(force: false)
  raise "Keypair already exists. Use --force to overwrite." if exists? && !force

  Config.ensure_directories!
  kp = Crypto.generate_keypair

  File.write(priv_key_path, Base64.strict_encode64(kp[:private_key]))
  File.chmod(0o600, priv_key_path)
  File.write(pub_key_path, Base64.strict_encode64(kp[:public_key]))
  File.chmod(0o644, pub_key_path)
  kp
end

.priv_key_path ⇒ String

Path to the private key file.

Returns:

• (String) —

  absolute path to identity.priv

# File 'lib/localvault/identity.rb', line 23

def self.priv_key_path = File.join(Config.keys_path, "identity.priv")

.private_key_b64 ⇒ String^?

Read the private key as a base64-encoded string.

Returns:

• (String, nil) —

  base64 private key, or nil if not generated

# File 'lib/localvault/identity.rb', line 66

def self.private_key_b64
  return nil unless File.exist?(priv_key_path)
  File.read(priv_key_path).strip
end

.private_key_bytes ⇒ String^?

Read the private key as raw bytes (decoded from base64).

Returns:

• (String, nil) —

  32 raw bytes, or nil if not generated

# File 'lib/localvault/identity.rb', line 74

def self.private_key_bytes
  b64 = private_key_b64
  b64 ? Base64.strict_decode64(b64) : nil
end

.pub_key_path ⇒ String

Path to the public key file.

Returns:

• (String) —

  absolute path to identity.pub

# File 'lib/localvault/identity.rb', line 28

def self.pub_key_path  = File.join(Config.keys_path, "identity.pub")

.public_key ⇒ String^?

Read the public key as a base64-encoded string.

Returns:

• (String, nil) —

  base64 public key, or nil if not generated

# File 'lib/localvault/identity.rb', line 58

def self.public_key
  return nil unless File.exist?(pub_key_path)
  File.read(pub_key_path).strip
end

.setup? ⇒ Boolean

Check whether identity is fully configured (keypair exists and token is set).

Returns:

• (Boolean) —

  true if keypair exists and an API token is configured

# File 'lib/localvault/identity.rb', line 82

def self.setup?
  exists? && !Config.token.nil? && !Config.token.empty?
end