Encryption & Signing
Exports can be encrypted with age (X25519 asymmetric or scrypt symmetric) and signed with Ed25519 for integrity verification.
Encryption
| Mode | Algorithm | Use Case |
|---|---|---|
| None | — | Plaintext export |
| Passphrase | scrypt + age | Shared password encryption |
| Recipient | X25519 + age | Public-key encryption for specific recipient |
Digital Signing
ReportSigner uses ed25519-dalek for EdDSA signatures.
| Field | Description |
|---|---|
| algorithm | Always "Ed25519" |
| signature_hex | Hex-encoded Ed25519 signature |
| signer_id | Identifier of the signing key |
| signed_at | UTC timestamp of signing |
Usage
Rust
// Encrypt for a specific recipient
let encrypted = encrypt(
&report_bytes,
&EncryptionConfig::Recipient {
public_key: "age1qy...".into(),
},
)?;
// Sign the encrypted payload
let signer = ReportSigner::from_secret_key(secret_key)?;
let signature = signer.sign(&encrypted);
assert!(signer.verify(&encrypted, &signature));Questions?
Reach out for help with integration, deployment, or custom domain codecs.