docs: pin keyfile.rs/second_factor citations; state the second factor is never pushed to the remote
This commit is contained in:
@@ -72,7 +72,7 @@ vault creation and is interchangeable:
|
||||
| Container | How the 32 bytes are stored | Extract step |
|
||||
|---|---|---|
|
||||
| Reference image (default) | Embedded in JPEG DCT coefficients via QIM steganography | `imgsecret::extract()` |
|
||||
| Key file (`.relkey`) | base64-encoded in a plain armored text file | `keyfile_decode()` (`crates/relicario-core/src/keyfile.rs` — <!-- TODO(dev-e): pin exact line once Dev-D's keyfile.rs lands -->) |
|
||||
| Key file (`.relkey`) | base64-encoded in a plain armored text file | `keyfile_decode()` (`crates/relicario-core/src/keyfile.rs:36`) |
|
||||
| Recovery QR | XChaCha20-Poly1305 envelope keyed by a separate recovery passphrase | Unwrap then read the raw 32 bytes |
|
||||
|
||||
The Argon2id KDF input — `u64_be(len(passphrase)) || passphrase || u64_be(32) || secret_32_bytes` — is **identical regardless of container**. Master-key derivation is unaffected by the container choice. The diagrams below show the reference-image path; substitute the appropriate extract step for other containers.
|
||||
|
||||
Reference in New Issue
Block a user