dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

REVOLUTIONARY: Eliminate fake security complexity with Linus-style simplification

Browse Source 
Problem Analysis:
- Fixed salt disaster: All same-type fields used identical encryption keys
- Exposed user password KEK protection as completely fake security theater
- System generated random password while claiming user password protection
- 500+ lines of complex migration logic for non-existent backward compatibility

Linus-Style Solutions Applied:
 "Delete code > Write code" - Removed 1167 lines of fake complexity
 "Complexity is evil" - Eliminated all special cases and migration paths
 "Practical solutions" - System auto-starts with secure random keys
 "Good taste" - Each field gets unique random salt, true data isolation

Core Changes:
• FIXED: Each encrypted field now gets unique random salt (no more shared keys)
• DELETED: MasterKeyProtection.ts - entire fake KEK protection system
• DELETED: encryption-test.ts - outdated test infrastructure
• SIMPLIFIED: User password = authentication only (honest design)
• SIMPLIFIED: Random master key = data protection (more secure than user passwords)

Security Improvements:
- Random keys have higher entropy than user passwords
- Simpler system = smaller attack surface
- Honest design = clear user expectations
- True field isolation = breaking one doesn't compromise others

Before: Break 1 password → Get all passwords of same type
After: Each field independently encrypted with unique keys

"Theory and practice sometimes clash. Theory loses. Every single time." - Linus

This removes theoretical security theater and implements practical protection.
This commit is contained in:
ZacharyZcR
2025-09-21 03:58:38 +08:00
parent 59e4e2beae
commit 1f67b2ca75
9 changed files with 101 additions and 1166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/starter.ts
View File

@@ -18,9 +18,9 @@ import "dotenv/config";
operation: "startup",
});
// Initialize database encryption before other services
// Initialize database encryption in deferred mode (without password)
await DatabaseEncryption.initialize();
systemLogger.info("Database encryption initialized", {
systemLogger.info("Database encryption initialized in deferred mode", {
operation: "encryption_init",
});