fix(security): encrypt app secrets at rest with AES-256-GCM (#6)

Encrypt three sensitive secrets that were stored in plaintext: OIDC client_secret, SMTP smtp_password, TOTP totp_secret. AES-256-GCM via pm-core::crypto helper. New per-install key at /etc/patch-manager/keys/secret-encryption.key, separate from health-check.key for blast-radius isolation. MASKED placeholder behavior in API responses is preserved. 23 files changed, +1248 / -28. Closes #6.
2026-06-03 15:08:25 -05:00
parent e0a9037be3
commit b9fb3427e0
23 changed files with 1248 additions and 28 deletions
--- a/crates/pm-web/src/routes/auth.rs
+++ b/crates/pm-web/src/routes/auth.rs
@ -360,8 +360,26 @@ async fn mfa_verify_handler(
        ));
    }

-    sqlx::query("UPDATE users SET totp_secret = $1, mfa_enabled = TRUE WHERE id = $2")
-        .bind(&req.secret_base32)
+    // Encrypt the TOTP secret before persisting (issue #6 fix)
+    let key = crate::secret_key::get().map_err(|e| {
+        tracing::error!(error = %e, "Failed to load secret-encryption key");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(
+                json!({ "error": { "code": "internal_error", "message": "Encryption key error" } }),
+            ),
+        )
+    })?;
+    let (ciphertext, nonce) = pm_core::crypto::encrypt(&req.secret_base32, key).map_err(|e| {
+        tracing::error!(error = %e, "Failed to encrypt TOTP secret");
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            Json(json!({ "error": { "code": "internal_error", "message": "Encryption error" } })),
+        )
+    })?;
+    sqlx::query("UPDATE users SET totp_secret_encrypted = $1, totp_secret_nonce = $2, mfa_enabled = TRUE WHERE id = $3")
+        .bind(&ciphertext)
+        .bind(&nonce)
        .bind(auth_user.user_id)
        .execute(&state.db)
        .await