[EVFS] Key management: master key rotation and vault export/import

[Adel-Ayoub]

Summary

Add master key rotation (re-encrypt all vault data under a new key) and vault export/import (portable encrypted archive for device migration). Both operations are atomic and crash-safe.

Motivation

• Key rotation: Compromised or expired keys require re-encryption without data loss. Compliance (NIST SP 800-57) recommends periodic rotation.
• Export/import: Device migration needs secure vault transfer. The export format wraps data with a transport key, decoupling from the original master key.

Architecture

Key Rotation (copy-to-new-vault + atomic rename)

vault_rotate_key(handle, new_key):
  create temp vault at {path}.rotating
  derive new sub-keys from new_key
  for each segment:
    decrypt with old keys → re-encrypt with new keys → write to temp
  flush temp index (primary + shadow), fsync
  atomic rename: {path}.rotating → {path}
  zeroize old sub-keys
  return new VaultHandle

Recovery: if .rotating exists on open, delete it (original vault intact).

Export/Import (.mvex archive format)

vault_export(handle, wrapping_key, export_path):
  generate ephemeral export_key, wrap with wrapping_key
  for each segment: decrypt → re-encrypt under export_key → write to archive
  BLAKE3 trailer for integrity

vault_import(archive, wrapping_key, dest_path, new_key):
  unwrap export_key → create new vault → write all segments under new_key

Sub-Issues

• [EVFS] Key rotation: atomic re-encryption under new master key #110 — Key rotation: atomic re-encryption under new master key
• [EVFS] Export archive format and vault_export() #111 — Export archive format and vault_export()
• [EVFS] Import vault from encrypted archive #112 — Import vault from encrypted archive
• [EVFS] Dart wrappers for key rotation, export, and import #113 — Dart wrappers for key rotation, export, and import

Dependency Graph

#110 (rotation) ──→ #111 (export) ──→ #112 (import) ──→ #113 (Dart wrappers)
                         │                                       │
                         └── shares decrypt_segment_raw()        └── completes Key management

Acceptance Criteria

• After rotation, old key cannot decrypt any data
• Rotation is atomic: crash mid-rotation → recoverable with old key
• Export produces a self-contained authenticated .mvex archive
• Import creates a new vault re-encrypted under local key
• Tampered/truncated archives detected and rejected
• Dart VaultService.rotateKey(), .export(), .importVault() with tests

Security Considerations

• Old sub-keys zeroized immediately after rotation (ZeroizeOnDrop)
• Export wrapping uses AAD b"msec-export-key-wrap" for domain separation
• Archive format authenticated: per-segment AAD (name) + BLAKE3 trailer
• Nonce safety: new vault keys = independent HKDF nonce space; export uses random nonces