@@ -18,7 +18,11 @@ To fix this, we built the _wire_. The wire consists of an HTTP server started by
## Vault
<!-- TODO -->
The vault is an encrypted container which exists to implement *encryption at rest*: The database is not stored on the SD card in plain text, but within said container. If someone were to pull the SD card out of the Pi, they could not access the database (as the password to decrypt the vault is only held in RAM).
The `Vault` class is a thin Python wrapper around the Linux application LUKS, which carries the heavy lifting.
In the application directory, we have a file `instance.img`. This file can be treated as a (virtual) drive[^1]. On this drive, we have LUKS-encrypted container, in which we have created an ext4 filesystem (just as you would when encrypting your real drive). After decrypting the container, the filesystem is mounted at the `instance/` folder. After that, you can do with the `instance/` folder whatever you want, it behaves no differently from any other folder.
### Things To Look At
@@ -39,3 +43,5 @@ To fix this, we built the _wire_. The wire consists of an HTTP server started by
### Things To Look At
-[🐍 `poolpay.admin`](../poolpay/admin/) which contains the (standalone runnable) admin UI and admin tools
[^1]:Akshually, it's the other way around: In Linux, everything is a file, so any real drive is also a file, stored in the `/dev/` folder, e.g., `/dev/sda1`.
