f71df5188f
Add KeyringBackend using linux-keyutils for direct kernel keyring access via session keyring. Keys are namespaced as "llm-multiverse:<secret_name>" to avoid collisions. Activated via backend = "keyring" in config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.5 KiB
1.5 KiB
Implementation Plan — Issue #24: Implement kernel keyring fallback
Metadata
| Field | Value |
|---|---|
| Issue | #24 |
| Title | Implement kernel keyring fallback |
| Milestone | Phase 3: Secrets Service |
| Labels | type:feature, priority:medium, lang:rust, service:secrets, cat:security |
| Status | COMPLETED |
| Language | Rust |
| Related Plans | issue-022.md |
| Blocked by | #22 (completed) |
Acceptance Criteria
- Kernel keyring integration via
linux-keyutilscrate - Retrieve secrets by key from session keyring
- Proper key naming convention ("llm-multiverse:<secret_name>") to avoid collisions
- Fallback activates when configured via
backend = "keyring"in config - Clear error messages when backend is unavailable
Architecture Analysis
Implemented KeyringBackend using linux-keyutils crate for direct kernel keyring syscalls. Uses session keyring with namespaced key descriptions. Error mapping: KeyDoesNotExist → NotFound, AccessDenied → BackendUnavailable.
Files to Create/Modify
| File | Action | Purpose |
|---|---|---|
services/secrets/src/backend/keyring.rs |
Create | KeyringBackend using linux-keyutils |
services/secrets/src/backend/mod.rs |
Modify | Add keyring module |
services/secrets/src/main.rs |
Modify | Wire keyring backend in config match |
services/secrets/Cargo.toml |
Modify | Add linux-keyutils dependency |
Deviation Log
(No deviations)