docs: pin keyfile.rs/second_factor citations; state the second factor is never pushed to the remote

This commit is contained in:
adlee-was-taken
2026-06-26 22:24:57 -04:00
parent 201bf05adc
commit 73877bad78
3 changed files with 5 additions and 5 deletions

View File

@@ -72,7 +72,7 @@ vault creation and is interchangeable:
| Container | How the 32 bytes are stored | Extract step |
|---|---|---|
| Reference image (default) | Embedded in JPEG DCT coefficients via QIM steganography | `imgsecret::extract()` |
| Key file (`.relkey`) | base64-encoded in a plain armored text file | `keyfile_decode()` (`crates/relicario-core/src/keyfile.rs` — <!-- TODO(dev-e): pin exact line once Dev-D's keyfile.rs lands -->) |
| Key file (`.relkey`) | base64-encoded in a plain armored text file | `keyfile_decode()` (`crates/relicario-core/src/keyfile.rs:36`) |
| Recovery QR | XChaCha20-Poly1305 envelope keyed by a separate recovery passphrase | Unwrap then read the raw 32 bytes |
The Argon2id KDF input — `u64_be(len(passphrase)) || passphrase || u64_be(32) || secret_32_bytes` — is **identical regardless of container**. Master-key derivation is unaffected by the container choice. The diagrams below show the reference-image path; substitute the appropriate extract step for other containers.