Key Management
Key Rotation
Section titled “Key Rotation”import { crypto } from '@brivora/crypto';
const { newIdentity, migration } = await crypto.rotateKeys(oldIdentity);// migration is a signed proof linking old key → new keyThe migration proof is cryptographically signed by the old key, creating an auditable chain of key ownership.
Key Derivation
Section titled “Key Derivation”const masterKey = crypto.randomBytes(32);const encKey = crypto.deriveKey(masterKey, 'encryption');const authKey = crypto.deriveKey(masterKey, 'authentication');// Different contexts → different deterministic keysUses HKDF-SHA256 (RFC 5869) for deterministic key derivation. Same master key + same context always produces the same derived key.
API Reference
Section titled “API Reference”| Method | Description |
|---|---|
crypto.rotateKeys(oldIdentity, newIdentity?) | Rotate keys with migration proof |
crypto.deriveKey(masterKey, context, length?) | HKDF-SHA256 key derivation |
crypto.randomBytes(length) | CSPRNG random bytes |