see revisions.md for list of changes.

Author: xskcdf

1-Aquiis.Infrastructure/Aquiis.Infrastructure.csproj

@@ -19,6 +19,7 @@
     <PackageReference Include="SQLitePCLRaw.bundle_e_sqlcipher" Version="2.1.11" />
     <PackageReference Include="Twilio" Version="7.14.0" />
     <PackageReference Include="QuestPDF" Version="2025.12.1" />
+    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="9.0.0" />
   </ItemGroup>
 
   <ItemGroup>

1-Aquiis.Infrastructure/Interfaces/IKeychainService.cs

@@ -0,0 +1,20 @@
+namespace Aquiis.Infrastructure.Interfaces;
+
+/// <summary>
+/// Abstraction for platform-specific secure key storage.
+/// Linux: uses libsecret (secret-tool). Windows: uses DPAPI encrypted file.
+/// </summary>
+public interface IKeychainService
+{
+    /// <summary>Store a password/key in the platform keychain</summary>
+    bool StoreKey(string password, string label = "Aquiis Database Encryption Key");
+
+    /// <summary>Retrieve the stored password/key, or null if not found</summary>
+    string? RetrieveKey();
+
+    /// <summary>Remove the stored password/key</summary>
+    bool RemoveKey();
+
+    /// <summary>Check if the keychain service is available on this platform</summary>
+    bool IsAvailable();
+}

1-Aquiis.Infrastructure/Services/DatabaseEncryptionService.cs

@@ -1,3 +1,4 @@
+using Aquiis.Infrastructure.Interfaces;
 using Microsoft.Data.Sqlite;
 using Microsoft.Extensions.Logging;
 using System.Text;
@@ -11,12 +12,12 @@ namespace Aquiis.Infrastructure.Services;
 public class DatabaseEncryptionService
 {
     private readonly PasswordDerivationService _passwordDerivation;
-    private readonly LinuxKeychainService _keychain;
+    private readonly IKeychainService _keychain;
     private readonly ILogger<DatabaseEncryptionService> _logger;
 
     public DatabaseEncryptionService(
         PasswordDerivationService passwordDerivation,
-        LinuxKeychainService keychain,
+        IKeychainService keychain,
         ILogger<DatabaseEncryptionService> logger)
     {
         _passwordDerivation = passwordDerivation;
@@ -118,18 +119,19 @@ public DatabaseEncryptionService(
                 return (false, null, "Failed to verify encrypted database");
             }
 
+            // Clear pools so Windows releases the verified file handle before the caller moves the file
+            SqliteConnection.ClearAllPools();
+            await Task.Delay(200);
+
             // Store password in keychain (best effort - don't fail if keychain unavailable)
-            if (OperatingSystem.IsLinux())
+            var stored = _keychain.StoreKey(password, "Aquiis Database Encryption Password");
+            if (!stored)
             {
-                var stored = _keychain.StoreKey(password, "Aquiis Database Encryption Password");
-                if (!stored)
-                {
-                    _logger.LogWarning("Failed to store password in keychain - you'll need to enter it manually on next startup");
-                }
-                else
-                {
-                    _logger.LogInformation("Password stored in keychain successfully");
-                }
+                _logger.LogWarning("Failed to store password in keychain - you'll need to enter it manually on next startup");
+            }
+            else
+            {
+                _logger.LogInformation("Password stored in keychain successfully");
             }
 
             _logger.LogInformation("Database encryption completed successfully");
@@ -230,11 +232,12 @@ public DatabaseEncryptionService(
                 return (false, null, "Failed to verify decrypted database");
             }
 
+            // Clear pools so Windows releases the verified file handle before the caller moves the file
+            SqliteConnection.ClearAllPools();
+            await Task.Delay(200);
+
             // Remove password from keychain
-            if (OperatingSystem.IsLinux())
-            {
-                _keychain.RemoveKey();
-            }
+            _keychain.RemoveKey();
 
             _logger.LogInformation("Database decryption completed successfully");
             return (true, decryptedPath, null);
@@ -310,22 +313,10 @@ private async Task<bool> VerifyPlaintextDatabaseAsync(string dbPath)
     /// <summary>
     /// Try to retrieve encryption key from keychain
     /// </summary>
-    public string? TryGetKeyFromKeychain()
-    {
-        if (!OperatingSystem.IsLinux())
-            return null;
-        
-        return _keychain.RetrieveKey();
-    }
+    public string? TryGetKeyFromKeychain() => _keychain.RetrieveKey();
 
     /// <summary>
     /// Check if keychain service is available
     /// </summary>
-    public bool IsKeychainAvailable()
-    {
-        if (!OperatingSystem.IsLinux())
-            return false;
-        
-        return _keychain.IsAvailable();
-    }
+    public bool IsKeychainAvailable() => _keychain.IsAvailable();
 }

1-Aquiis.Infrastructure/Services/LinuxKeychainService.cs

@@ -1,13 +1,14 @@
 using System.Runtime.InteropServices;
 using System.Text;
+using Aquiis.Infrastructure.Interfaces;
 
 namespace Aquiis.Infrastructure.Services;
 
 /// <summary>
 /// Service for storing and retrieving encryption keys from Linux Secret Service (libsecret).
 /// Provides convenient auto-decryption on trusted devices.
 /// </summary>
-public class LinuxKeychainService
+public class LinuxKeychainService : IKeychainService
 {
     private const string Schema = "org.aquiis.database";
     private const string KeyAttribute = "key-type";

1-Aquiis.Infrastructure/Services/WindowsKeychainService.cs

@@ -0,0 +1,117 @@
+using System.Runtime.Versioning;
+using System.Security.Cryptography;
+using System.Text;
+using Aquiis.Infrastructure.Interfaces;
+
+namespace Aquiis.Infrastructure.Services;
+
+/// <summary>
+/// Secure key storage for Windows using DPAPI (Data Protection API).
+/// Encrypts the database password with the current user's Windows credentials
+/// and stores it in a file under %APPDATA%\Aquiis\. Only the same user on the
+/// same machine can decrypt the file — no user interaction needed on retrieval.
+/// </summary>
+[SupportedOSPlatform("windows")]
+public class WindowsKeychainService : IKeychainService
+{
+    private readonly string _keyFilePath;
+
+    /// <summary>
+    /// Initialize the Windows DPAPI keychain service.
+    /// </summary>
+    /// <param name="appName">App-specific identifier to prevent key conflicts (e.g. "SimpleStart-Electron")</param>
+    public WindowsKeychainService(string appName = "Aquiis-Electron")
+    {
+        var appDataPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
+        var aquiisDir = Path.Combine(appDataPath, "Aquiis");
+        Directory.CreateDirectory(aquiisDir);
+
+        // Sanitize appName for use as a filename component
+        var safeAppName = new string(appName.Where(c => char.IsLetterOrDigit(c) || c == '-' || c == '_').ToArray());
+        _keyFilePath = Path.Combine(aquiisDir, $"aquiis_{safeAppName}.key");
+
+        Console.WriteLine($"[WindowsKeychainService] Initialized with key file: {_keyFilePath}");
+    }
+
+    /// <summary>
+    /// Store the encryption password using DPAPI. The data is encrypted with the
+    /// current user's credentials and written to a binary key file.
+    /// </summary>
+    public bool StoreKey(string password, string label = "Aquiis Database Encryption Key")
+    {
+        try
+        {
+            Console.WriteLine("[WindowsKeychainService] Storing password using DPAPI");
+            var plainBytes = Encoding.UTF8.GetBytes(password);
+            var encryptedBytes = ProtectedData.Protect(plainBytes, null, DataProtectionScope.CurrentUser);
+            File.WriteAllBytes(_keyFilePath, encryptedBytes);
+            Console.WriteLine("[WindowsKeychainService] Password stored successfully using DPAPI");
+            return true;
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"[WindowsKeychainService] Failed to store password: {ex.Message}");
+            return false;
+        }
+    }
+
+    /// <summary>
+    /// Retrieve the encryption password by decrypting the key file with DPAPI.
+    /// Returns null if the file does not exist or cannot be decrypted.
+    /// </summary>
+    public string? RetrieveKey()
+    {
+        if (!File.Exists(_keyFilePath))
+        {
+            Console.WriteLine("[WindowsKeychainService] Key file not found");
+            return null;
+        }
+
+        try
+        {
+            Console.WriteLine("[WindowsKeychainService] Retrieving password using DPAPI");
+            var encryptedBytes = File.ReadAllBytes(_keyFilePath);
+            var plainBytes = ProtectedData.Unprotect(encryptedBytes, null, DataProtectionScope.CurrentUser);
+            var password = Encoding.UTF8.GetString(plainBytes);
+            Console.WriteLine($"[WindowsKeychainService] Password retrieved successfully using DPAPI (length: {password.Length})");
+            return password;
+        }
+        catch (CryptographicException ex)
+        {
+            Console.WriteLine($"[WindowsKeychainService] Failed to decrypt password (DPAPI): {ex.Message}");
+            Console.WriteLine("[WindowsKeychainService] This usually means the key file was encrypted by a different user or machine");
+            return null;
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"[WindowsKeychainService] Failed to retrieve password: {ex.Message}");
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Delete the key file, effectively removing the stored password.
+    /// </summary>
+    public bool RemoveKey()
+    {
+        try
+        {
+            if (File.Exists(_keyFilePath))
+            {
+                File.Delete(_keyFilePath);
+                Console.WriteLine("[WindowsKeychainService] Key file deleted successfully");
+            }
+            return true;
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine($"[WindowsKeychainService] Failed to remove key file: {ex.Message}");
+            return false;
+        }
+    }
+
+    /// <summary>
+    /// DPAPI is always available on Windows.
+    /// </summary>
+    public bool IsAvailable() => OperatingSystem.IsWindows();
+}

2-Aquiis.Application/Services/DatabasePasswordService.cs

@@ -1,5 +1,5 @@
 using Aquiis.Core.Interfaces;
-using Aquiis.Infrastructure.Services;
+using Aquiis.Infrastructure.Interfaces;
 using Microsoft.Extensions.Logging;
 
 namespace Aquiis.Application.Services;
@@ -10,11 +10,11 @@ namespace Aquiis.Application.Services;
 /// </summary>
 public class DatabasePasswordService
 {
-    private readonly LinuxKeychainService _keychain;
+    private readonly IKeychainService _keychain;
     private readonly ILogger<DatabasePasswordService> _logger;
 
     public DatabasePasswordService(
-        LinuxKeychainService keychain,
+        IKeychainService keychain,
         ILogger<DatabasePasswordService> logger)
     {
         _keychain = keychain;
@@ -64,9 +64,6 @@ public async Task<bool> IsDatabaseEncryptedAsync(string dbPath)
     /// </summary>
     public string? TryGetPasswordFromKeychain()
     {
-        if (!OperatingSystem.IsLinux())
-            return null;
-        
         var key = _keychain.RetrieveKey();
         if (key != null)
         {

2-Aquiis.Application/Services/DatabasePreviewService.cs

@@ -1,7 +1,7 @@
 using Aquiis.Application.Models.DTOs;
 using Aquiis.Core.Entities;
 using Aquiis.Infrastructure.Data;
-using Aquiis.Infrastructure.Services;
+using Aquiis.Infrastructure.Interfaces;
 using Microsoft.Data.Sqlite;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
@@ -14,12 +14,12 @@ namespace Aquiis.Application.Services;
 /// </summary>
 public class DatabasePreviewService
 {
-    private readonly LinuxKeychainService _keychain;
+    private readonly IKeychainService _keychain;
     private readonly ILogger<DatabasePreviewService> _logger;
     private readonly string _backupDirectory;
 
     public DatabasePreviewService(
-        LinuxKeychainService keychain,
+        IKeychainService keychain,
         ILogger<DatabasePreviewService> logger)
     {
         _keychain = keychain;
@@ -75,10 +75,7 @@ public async Task<bool> IsDatabaseEncryptedAsync(string backupFileName)
     /// </summary>
     public async Task<string?> TryGetKeychainPasswordAsync()
     {
-        if (!OperatingSystem.IsLinux())
-            return null;
-
-        await Task.CompletedTask; // Make method async
+        await Task.CompletedTask; // Keep method async
         var key = _keychain.RetrieveKey();
         if (key != null)
         {

2-Aquiis.Application/Services/DatabaseUnlockService.cs

@@ -1,6 +1,6 @@
+using Aquiis.Infrastructure.Interfaces;
 using Microsoft.Data.Sqlite;
 using Microsoft.Extensions.Logging;
-using Aquiis.Infrastructure.Services;
 
 namespace Aquiis.Application.Services;
 
@@ -10,11 +10,11 @@ namespace Aquiis.Application.Services;
 /// </summary>
 public class DatabaseUnlockService
 {
-    private readonly LinuxKeychainService _keychain;
+    private readonly IKeychainService _keychain;
     private readonly ILogger<DatabaseUnlockService> _logger;
 
     public DatabaseUnlockService(
-        LinuxKeychainService keychain,
+        IKeychainService keychain,
         ILogger<DatabaseUnlockService> logger)
     {
         _keychain = keychain;

4-Aquiis.SimpleStart/Extensions/ElectronServiceExtensions.cs

@@ -12,6 +12,7 @@
 using Aquiis.SimpleStart.Entities;
 using Aquiis.SimpleStart.Services;  // For ElectronPathService, WebPathService
 using Aquiis.Infrastructure.Services;  // For DatabaseUnlockState
+using Aquiis.Infrastructure.Interfaces;  // For IKeychainService
 using Microsoft.Data.Sqlite;
 
 namespace Aquiis.SimpleStart.Extensions;
@@ -191,7 +192,9 @@ public static IServiceCollection AddElectronServices(
                 // Database is encrypted - try to get password from keychain
                 if (EnableVerboseLogging)
                     Console.WriteLine("Detected encrypted database, retrieving password from keychain...");
-                var keychain = new LinuxKeychainService("SimpleStart-Electron"); // Pass app name to prevent keychain conflicts
+                var keychain = OperatingSystem.IsWindows()
+                    ? (IKeychainService)new WindowsKeychainService("SimpleStart-Electron")
+                    : new LinuxKeychainService("SimpleStart-Electron"); // Pass app name to prevent keychain conflicts
 
                 Console.WriteLine("Attempting to retrieve encryption password from keychain...");
                 var password = keychain.RetrieveKey();

4-Aquiis.SimpleStart/Extensions/WebServiceExtensions.cs

@@ -12,6 +12,7 @@
 using Aquiis.SimpleStart.Entities;
 using Aquiis.SimpleStart.Services;  // For ElectronPathService, WebPathService
 using Aquiis.Infrastructure.Services;  // For DatabaseUnlockState
+using Aquiis.Infrastructure.Interfaces;  // For IKeychainService
 using Microsoft.Data.Sqlite;
 
 namespace Aquiis.SimpleStart.Extensions;
@@ -178,7 +179,9 @@ public static IServiceCollection AddWebServices(
                 // Database is encrypted - try to get password from keychain
                 if (EnableVerboseLogging)
                     Console.WriteLine("Detected encrypted database, retrieving password from keychain...");
-                var keychain = new LinuxKeychainService("SimpleStart-Web"); // Pass app name to prevent keychain conflicts
+                var keychain = OperatingSystem.IsWindows()
+                    ? (IKeychainService)new WindowsKeychainService("SimpleStart-Web")
+                    : new LinuxKeychainService("SimpleStart-Web"); // Pass app name to prevent keychain conflicts
                 var password = keychain.RetrieveKey();
 
                 if (string.IsNullOrEmpty(password))