DataHandler.SecretManager

Handles the creation, reading, deletion overall management of secret vaults.

Types

Represents a reference to an encrypted secret file.

Fields:
- string SecretName (internal set): Logical name of the secret.
- string SecretPath (internal set): Encrypted path to the secret file.
Constructor:

PublicKeyFile(string secretName, string secretPath)

Used to initialize a new secret entry when creating a bank.

Fields:
- string SecretName (internal set): Logical name of the secret.
- SecureData Value (internal set): Initial secret value.
- SecureData? SecretPath (internal set): Optional custom directory path.
Constructor:
PublicKeyFileInit(string secretName, SecureData? secretPath, SecureData value)

Creates a “bank” JSON file listing public secrets, and optionally initializes individual secret files.

Parameters:
- BankDirectory: Folder in which to store the bank JSON.
- BankName: Name of the bank (JSON filename without extension).
- PublicKeys: Optional list of initial secrets to create.
- PublicDecryptKey: Optional decryption key (defaults to board serial).
Returns: Task
Exceptions:
- Exception if bank already exists or on any file I/O error.

Checks for the existence of the bank JSON file.

Retrieves and decrypts a public secret value from a bank.

Parameters:
- BankDirectory, BankName
- PublicSecretName: Logical name of the secret to retrieve.
- PublicDecryptKey: Key to decrypt the bank index (defaults to board serial).
- SecretDecryptKey: Key to decrypt the individual secret (defaults to same as public key).
Returns: Task — Decrypted secret value.
Exceptions:
- Exception if secret not found or on decryption errors.

Reads the “Pneumentations” (rotation count) for a public secret.

Adds a new secret to an existing bank, creating its file and encrypting its initial value.

Parameters:
- PublicSecret: Initialization data for the new secret.
- Others as in CreateBank.
Returns: Task

Removes a secret entry from both the bank JSON and deletes its file.

Lists all logical secret names in the bank.

Rotates (re-hashes) a secret’s value, updates its “Pneumentations” count, and writes back.

Parameters:
- salt: Existing salt or key for rotation.
- newSalt: If provided, resets the salt and count.
- Others as in GetPublicSecret
Returns: Task — New rotated secret.

WIP — Re-encrypts and/or moves existing secrets to a new bank directory with optional password/key changes.

Parameters:
- secretMigrations: Map of secret names to old/new key pairs and new file locations.
- newBankDirPath, NewFileDirectoryPath
- OldPublicDecryptKey, NewPublicDecryptKey
Returns: Task
Notes: Not production-ready; use with caution.