2. 🔑 Key Management

These settings control the key directory, and sealing options for the keys used for data encryption and security.

• auto_key_setup (bool, default: True) This parameter automates the key generation and registration workflow.

  • If True: The SDK handles everything automatically. It checks for keys at the specified path. If they don't exist, it generates a new key set and registers the public keys with the server. This is the recommended mode for most users.

  • If False: This is a manual mode for advanced use cases. The SDK requires a pre-existing key set at the specified path and will raise an error if one is not found. Key generation and registration must be performed separately by the user.

• key_path (str) The base directory where all encryption key sets are stored. Each key set will be in a subdirectory named after its key_id. This path should be considered fixed after the initial client setup.

• key_id (str) A unique identifier for a specific set of encryption keys. While the system is designed to eventually support multiple key IDs for different indexes, the current version only supports using a single key_id per client instance.

• metadata_encryption (bool, default: True) Determines whether to encrypt metadata before sending it to the server. When set to True, a MetadataKey.json is automatically generated and used for this purpose.

• seal_mode (str, default: 'none') Enables at-rest encryption for your most sensitive keys. When set to 'aes', the SecKey.json and MetadataKey.json (if it exists) are "sealed" (encrypted) using a Key Encryption Key (KEK) for secure storage.

  • 'aes': Activates AES256-GCM sealing.

  • 'none': Disables sealing.

• seal_kek_path (str) Required only when seal_mode is set to 'aes'. This parameter specifies the file path to the Key Encryption Key (KEK) that will be used to seal your keys.