Juergen Kunz
7a19f01def
Implements SmartSecret with macOS Keychain, Linux secret-tool, and AES-256-GCM encrypted file fallback backends. Zero runtime dependencies.
13 lines
529 B
Markdown
13 lines
529 B
Markdown
# smartsecret hints
|
|
|
|
## Architecture
|
|
- 3-tier backend: macOS Keychain → Linux secret-tool → encrypted file vault
|
|
- Zero runtime dependencies (Node.js built-ins only)
|
|
- All OS interactions via child_process.execFile (no shell injection)
|
|
|
|
## File Backend
|
|
- Vault: AES-256-GCM, JSON file with { iv, ciphertext, tag } per entry
|
|
- Keyfile: auto-generated 32 random bytes at ~/.config/smartsecret/.keyfile (mode 0600)
|
|
- Key derivation: PBKDF2 (SHA-512, 100k iterations, service-name salt)
|
|
- Atomic writes: write .tmp then rename()
|