The metacrypt service provides cryptographic resources for metacircular users. It will use the Metacircular Identity and Access Service (MCIAS), whose API is documented at https://mcias.metacircular.net:8443/docs. The MCIAS admin user should be granted admin privileges on the service.

Metacrypt is based on the concept of "engines," each of which provides a specific cryptographic services. The complete system will have engines for a CA, an SSH CA, transit encryption, and user-to-user encryption.

Like other Metacircular services, it will use a SQLite database as its primary source of truth.

It should have a data model similar to what hashicorp vault does, in that it will have an encrypted storage barrier. However, only a single password needs to be provided to unseal it. A master encryption key will be used as a key-encryption key to decrypt other data encryption keys.

The first step is to build out the basic framework for the application, to include login, unsealing, and the encrypted barrier.

We will be using Go as the main language. The MCIAS client library (git.wntrmute.dev/mc/mcias/clients/go) is used for authentication. Use 256-bit symmetric keys and Ed25519/Curve25519 or NIST P-521 where appropriate for public key algorithms. Use Argon2 for password hashing.

It will need a gRPC and JSON REST API, as well as a web frontend.

First, we'll devise a detailed specification and architecture design for this system. Ask any necessary clarifications during this phase.