auth/com.midnight.kuira.core.auth/SeedVault

SeedVault

class SeedVault(context: Context, biometricGate: BiometricGate)

Encrypted seed storage backed by Android Keystore + biometric authentication.

Layered security model:

  • Local layer (this class): Seed encrypted with device-bound Keystore master key. Biometric-gated for every access.

  • Backup layer (future — core:backup): Separate encrypted blob using a transferable key (passkey PRF or backup password). Needed for cross-device recovery because the Keystore master key cannot transfer to a new device.

Storage format: The on-disk file is a single blob:

[12 bytes: IV] + [96 bytes: encrypted(entropy || seed)] + [16 bytes: GCM auth tag]
Content copied to clipboard

Total: 124 bytes.

File location: <app filesDir>/kuira_seed.bin — app-private storage, explicitly excluded from Auto Backup via data_extraction_rules.xml in the host app's manifest.

Atomicity: Writes go to a temp file and are renamed in place, so a crash mid-write leaves either the old seed or the new seed, never a partial file.

Threading: All file I/O runs on Dispatchers.IO via withContext.

Constructors

Link copied to clipboard
constructor(context: Context, biometricGate: BiometricGate)

Types

Link copied to clipboard
object Companion

Functions

Link copied to clipboard
fun deleteSeed()

Deletes the encrypted seed from storage.

Link copied to clipboard
suspend fun hasSeed(): Boolean

Whether a valid encrypted seed has been persisted.

Link copied to clipboard
suspend fun loadSeed(activity: FragmentActivity): PlaintextSeed

Decrypts and returns the wallet seed material.

Link copied to clipboard
suspend fun storeSeed(activity: FragmentActivity, seedProducer: () -> PlaintextSeed)

Encrypts and stores the wallet seed material.