dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

SECURITY: Implement SystemCrypto database key auto-generation

Browse Source 
Replace fixed seed database encryption with per-instance unique keys:

- Add database key management to SystemCrypto alongside JWT keys
- Remove hardcoded default seed security vulnerability
- Implement auto-generation of unique database encryption keys
- Add backward compatibility for legacy v1 encrypted files
- Update DatabaseFileEncryption to use SystemCrypto keys
- Refactor database initialization to async architecture

Security improvements:
- Each Termix instance gets unique database encryption key
- Keys stored in .termix/db.key with 600 permissions
- Environment variable DATABASE_KEY support for production
- Eliminated fixed seed "termix-database-file-encryption-seed-v1"

Architecture: SystemCrypto (database) + UserCrypto (KEK-DEK) dual-layer
This commit is contained in:
ZacharyZcR
2025-09-22 07:50:01 +08:00
parent dca4a89a1a
commit ed11b309f4
4 changed files with 320 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/database/database.ts
View File

@@ -679,7 +679,7 @@ app.post("/database/backup", async (req, res) => {
const backupPath = path.join(backupDir, backupFileName);
// Create encrypted backup directly from memory buffer
DatabaseFileEncryption.encryptDatabaseFromBuffer(dbBuffer, backupPath);
await DatabaseFileEncryption.encryptDatabaseFromBuffer(dbBuffer, backupPath);
res.json({
success: true,
@@ -718,7 +718,7 @@ app.post("/database/restore", async (req, res) => {
// Hardware compatibility check removed - no longer required
const restoredPath = DatabaseFileEncryption.restoreFromEncryptedBackup(
const restoredPath = await DatabaseFileEncryption.restoreFromEncryptedBackup(
backupPath,
targetPath,
);