Summary
Remove internal cmdlet invocation overhead in ConvertFrom-SodiumSealedBox when -PublicKey is omitted.
Why
Current flow calls Get-SodiumPublicKey from within decrypt processing, which incurs PowerShell cmdlet pipeline/binding overhead in hot loops.
Proposed change
- In the decrypt path, derive public key directly via interop (
crypto_scalarmult_base) instead of invoking another cmdlet.
- Keep output and validation semantics equivalent.
- Ensure private key material handling remains secure and zeroed where applicable.
Acceptance criteria
- Decrypt scenarios with and without
-PublicKey remain functionally equivalent.
- Existing tests pass.
- Decrypt benchmark loop shows improved throughput when
-PublicKey is not supplied.
- No regression in error messages for invalid key material.
Summary
Remove internal cmdlet invocation overhead in
ConvertFrom-SodiumSealedBoxwhen-PublicKeyis omitted.Why
Current flow calls
Get-SodiumPublicKeyfrom within decrypt processing, which incurs PowerShell cmdlet pipeline/binding overhead in hot loops.Proposed change
crypto_scalarmult_base) instead of invoking another cmdlet.Acceptance criteria
-PublicKeyremain functionally equivalent.-PublicKeyis not supplied.