distribute/crypto
Crypto facade - singleton per node.
This module provides the public API for cryptographic operations in the distribute cluster. It follows the same facade pattern as transport and discovery modules.
Architecture
┌─────────────────────────────────────────────────────────┐
│ crypto.gleam │
│ (Facade/API) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ CryptoAdapter │
│ (Behaviour contract) │
└─────────────────────────────────────────────────────────┘
▲ ▲
│ │
┌─────────────┴────────┐ ┌──────┴───────────┐
│ noop_adapter │ │ (future: TLS, │
│ (development) │ │ NaCl, etc.) │
└──────────────────────┘ └──────────────────┘
Usage
import distribute/crypto
import gleam/option.{Some}
// Start crypto layer (typically done in node_builder)
let assert Ok(handle) = crypto.start_link(crypto.default_options("my_crypto"))
// Initiate handshake with remote node
let local = "node_a@host"
let remote = "node_b@host"
let assert Ok(result) = crypto.handshake_start(local, remote, option.None)
// Encrypt message
let assert Some(ctx) = crypto.secure_context(remote)
let assert Ok(ciphertext) = crypto.encrypt(ctx, <<"hello">>)
Lifecycle
- Call
start_link()or usechild_spec()with a supervisor - Provider initializes and registers with registry
- Use
handshake_start/3when connecting to remote nodes - Use
encrypt/2anddecrypt/2for secure messaging - Call
shutdown()for graceful cleanup
Values
pub fn child_spec() -> supervision.ChildSpecification(
types.ProviderHandle,
)Create a child specification for OTP supervision.
Uses the noop adapter by default. For production, you should use a proper crypto adapter.
pub fn child_spec_with_adapter(
provider: adapter.CryptoAdapter,
options: types.ProviderOptions,
) -> supervision.ChildSpecification(types.ProviderHandle)Create a child specification with a custom adapter. Note: For custom adapters, use the adapter’s own child_spec function.
pub fn child_spec_with_options(
options: types.ProviderOptions,
) -> supervision.ChildSpecification(types.ProviderHandle)Create a child specification with custom options.
pub fn decrypt(
ctx: types.SecureContext,
ciphertext: BitArray,
) -> Result(BitArray, types.CryptoError)Decrypt a message using the secure context.
pub fn default_options(name: String) -> types.ProviderOptionsCreate default provider options.
pub fn development_options(name: String) -> types.ProviderOptionsCreate development options with debug logging.
pub fn encrypt(
ctx: types.SecureContext,
plaintext: BitArray,
) -> Result(BitArray, types.CryptoError)Encrypt a message using the secure context.
pub fn get_handle() -> Result(types.ProviderHandle, Nil)Get the current provider handle.
pub fn get_handle_by_name(
name: String,
) -> Result(types.ProviderHandle, Nil)Get a handle by name.
pub fn handshake_continue(
state: types.HandshakeState,
message: types.HandshakeMessage,
) -> Result(types.HandshakeResult, types.CryptoError)Continue a handshake with a message from the remote node.
pub fn handshake_start(
local: String,
remote: String,
initial: option.Option(types.HandshakeMessage),
) -> Result(types.HandshakeResult, types.CryptoError)Start a cryptographic handshake with a remote node.
Returns either:
InProgress(state, message)- Send message to remote, await responseEstablished(context)- Handshake complete (e.g., noop adapter)
pub fn rekey(node: String) -> Result(Nil, types.CryptoError)Trigger a rekey operation for a node.
This rotates the session key while maintaining the connection.
pub fn secure_context(
node: String,
) -> option.Option(types.SecureContext)Get the secure context for a node (if handshake completed).
pub fn start_link(
options: types.ProviderOptions,
) -> Result(types.ProviderHandle, types.CryptoError)Start the crypto provider with default settings.
pub fn start_link_with_adapter(
provider: adapter.CryptoAdapter,
options: types.ProviderOptions,
) -> Result(types.ProviderHandle, types.CryptoError)Start the crypto provider with a custom adapter.