Summary
Encryption keys are currently stored as plaintext JSON files on disk. Keys should be protected using platform-native secure storage (macOS Keychain, Windows DPAPI, Linux Secret Service) with a password-derived fallback.
Problem
In core/gateways/file/key-bag-file.ts, encryption keys are saved as plaintext JSON. Anyone with file system access can read these keys and decrypt the database.
Proposed Solution
- Add optional keychain adapter dependencies (
@perkse/keytar, argon2-browser)
- Create keychain adapter interface at
core/keybag/keychain-adapter.ts
- Implement platform-specific adapters:
- macOS Keychain
- Windows DPAPI
- Linux Secret Service
- Implement password-derived fallback with Argon2id
- Create
SecureKeystoreService at core/keybag/secure-keystore.ts
- Implement transparent migration from plaintext keys
Expected Outcomes
- Keys never stored as plaintext on disk
- Keys integrate with platform keychain when available
- Fallback to password-derived encryption when keychain unavailable
- Existing plaintext keys migrated transparently
Dependencies
This should be implemented after removing the storekey=insecure bypass.
Summary
Encryption keys are currently stored as plaintext JSON files on disk. Keys should be protected using platform-native secure storage (macOS Keychain, Windows DPAPI, Linux Secret Service) with a password-derived fallback.
Problem
In
core/gateways/file/key-bag-file.ts, encryption keys are saved as plaintext JSON. Anyone with file system access can read these keys and decrypt the database.Proposed Solution
@perkse/keytar,argon2-browser)core/keybag/keychain-adapter.tsSecureKeystoreServiceatcore/keybag/secure-keystore.tsExpected Outcomes
Dependencies
This should be implemented after removing the
storekey=insecurebypass.