Support DEK rotation on empty storage

### Background

SafeBox currently uses a static DEK per file, which remains unchanged for its lifetime. Although the key is securely stored and masked, a long-lived DEK increases exposure to eventual cryptanalysis. DEK rotation is not yet supported due to potential data invalidation risks.

### Goal

Enable DEK rotation without introducing dead entries.

### Proposal

A configurable DEK rotation policy will be introduced:  
- `NEVER`: SafeBox will never rotate DEK _(default, fastest)_
- `ON_EMPTY`: SafeBox will rotate DEK when storage becomes empty via `clear()` or last `remove()` (_safest_)

DEK rotation will be gated inside the `writeMutex`. To prevent dead entries, DEK rotation will only be done when no live entries exist.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support DEK rotation on empty storage #166

Background

Goal

Proposal

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Support DEK rotation on empty storage #166

Description

Background

Goal

Proposal

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions