fix(security): encrypt app secrets at rest with AES-256-GCM (#6)

Encrypt three sensitive secrets that were stored in plaintext: OIDC client_secret, SMTP smtp_password, TOTP totp_secret. AES-256-GCM via pm-core::crypto helper. New per-install key at /etc/patch-manager/keys/secret-encryption.key, separate from health-check.key for blast-radius isolation. MASKED placeholder behavior in API responses is preserved. 23 files changed, +1248 / -28. Closes #6.
2026-06-03 15:08:25 -05:00
parent e0a9037be3
commit b9fb3427e0
23 changed files with 1248 additions and 28 deletions
--- a/docs/REST_API.md
+++ b/docs/REST_API.md
@ -119,6 +119,8 @@ Security: JWT Bearer Token (except Public Endpoints)
 | POST | `/settings/azure-sso/test` | Test Azure SSO compatibility |
 | POST | `/settings/audit-integrity` | Verify audit log integrity |

+> **Note (issue #6):** As of May 2026, sensitive fields (`oidc.client_secret`, `smtp.password`) are encrypted at rest in the database (AES-256-GCM). The `MASKED` placeholder behavior in API responses is **preserved** — clients never see plaintext secrets in GET responses. See [docs/runbooks/key-management.md](runbooks/key-management.md) for key management procedures.
+
 ## 12. Single Sign-On (SSO)
 | Method | Endpoint | Description |
 |--------|----------|-------------|