Update Configuration, Models, Services + docs

Summary: - Sources: Configuration, Models, Services - Docs: README Stats: - 4 files changed, 10 insertions(+), 5 deletions(-)
2026-01-14 13:53:01 -06:00 · 2026-01-14 13:53:01 -06:00 · 371a5e2f54
commit 371a5e2f54
parent 0877528bca
4 changed files with 10 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -163,13 +163,14 @@ You can customize the identifiers used for the master key in the Keychain:
 ```swift
 let config = EncryptionConfiguration(
    masterKeyService: "com.myapp.LocalData",
-    masterKeyAccount: "MasterKey"
+    masterKeyAccount: "MasterKey",
+    pbkdf2Iterations: 50_000
 )
 await StorageRouter.shared.updateEncryptionConfiguration(config)
 ```

 > [!WARNING]
-> Changing the `masterKeyService` or `masterKeyAccount` in an existing app will cause the app to look for the master key in a new location. Previously encrypted data will be lost.
+> Changing the `masterKeyService`, `masterKeyAccount`, or `pbkdf2Iterations` in an existing app will cause the app to look for or derive keys differently. Previously encrypted data will be inaccessible.

 #### Global Sync Configuration

--- a/Sources/LocalData/Configuration/EncryptionConfiguration.swift
+++ b/Sources/LocalData/Configuration/EncryptionConfiguration.swift
@ -6,17 +6,20 @@ public struct EncryptionConfiguration: Sendable {
    public let masterKeyAccount: String
    public let masterKeyLength: Int
    public let defaultHKDFInfo: String
+    public let pbkdf2Iterations: Int

    public init(
        masterKeyService: String = "LocalData",
        masterKeyAccount: String = "MasterKey",
        masterKeyLength: Int = 32,
-        defaultHKDFInfo: String = "LocalData.Encryption"
+        defaultHKDFInfo: String = "LocalData.Encryption",
+        pbkdf2Iterations: Int = 10_000
    ) {
        self.masterKeyService = masterKeyService
        self.masterKeyAccount = masterKeyAccount
        self.masterKeyLength = masterKeyLength
        self.defaultHKDFInfo = defaultHKDFInfo
+        self.pbkdf2Iterations = pbkdf2Iterations
    }

    public static let `default` = EncryptionConfiguration()
--- a/Sources/LocalData/Models/SecurityPolicy.swift
+++ b/Sources/LocalData/Models/SecurityPolicy.swift
@ -21,7 +21,7 @@ public enum SecurityPolicy: Sendable {
    }

    public enum KeyDerivation: Sendable {
-        case pbkdf2(iterations: Int, salt: Data? = nil)
+        case pbkdf2(iterations: Int? = nil, salt: Data? = nil)
        case hkdf(salt: Data? = nil, info: Data? = nil)
    }
 }
--- a/Sources/LocalData/Services/EncryptionHelper.swift
+++ b/Sources/LocalData/Services/EncryptionHelper.swift
@ -104,10 +104,11 @@ actor EncryptionHelper {
        switch derivation {
        case .pbkdf2(let iterations, let customSalt):
            let salt = customSalt ?? defaultSalt(for: keyName)
+            let actualIterations = iterations ?? configuration.pbkdf2Iterations
            let derivedKeyData = try pbkdf2SHA256(
                password: baseKeyMaterial,
                salt: salt,
-                iterations: iterations,
+                iterations: actualIterations,
                keyLength: configuration.masterKeyLength
            )
            return SymmetricKey(data: derivedKeyData)