Skip to content

feat: Add persistent volumes and encrypted secret management for deployments#51

Open
officiallyutso wants to merge 5 commits intomasterfrom
ronin/volumes
Open

feat: Add persistent volumes and encrypted secret management for deployments#51
officiallyutso wants to merge 5 commits intomasterfrom
ronin/volumes

Conversation

@officiallyutso
Copy link
Member

@officiallyutso officiallyutso commented Nov 2, 2025

Features

Encrypted Secrets Management

  • AES-256-GCM encryption for secrets stored in MongoDB
  • Master key derived using PBKDF2 with 100,000 iterations
  • Secrets decrypted in-memory only before container launch
  • Runtime injection via --env-file (not baked into image layers)
  • REST API endpoints for secret CRUD operations
  • Authorization: Only project owners and admins can manage secrets
  • Never expose decrypted values in API responses

Persistent Volumes

  • Automatic volume creation for each project deployment
  • Volumes mounted at /app/data inside containers
  • Automatic cleanup when projects are deleted
  • Volume metadata tracked in MongoDB

Encryption

  • Secrets encrypted at rest in database
  • Master key provided via SECRET_MASTER_KEY environment variable
  • No plaintext secrets in logs, image layers, or on disk
  • Authorization checks on all secret operations
  • Input validation and size limits on secret payloads

Changes

Backend

  • New: src/backend/utils/encryption.ts - AES-256-GCM encryption service
  • New: src/backend/utils/authorization.ts - Project access verification
  • New: src/backend/secrets.ts - Secret management API routes
  • New: src/backend/shell_scripts/volume.sh - Volume management script
  • Modified: src/backend/db.ts - Added secrets and volume metadata functions
  • Modified: src/backend/server.ts - Added routes and encryption initialization
  • Modified: src/backend/scripts.ts - Integrated volumes and secrets into deployment
  • Modified: src/backend/shell_scripts/container.sh - Volume mounting and env injection
  • Modified: src/backend/shell_scripts/delete.sh - Volume cleanup on deletion

Frontend

  • New: src/frontend/src/utils/secrets.ts - Secret API client
  • New: src/frontend/src/components/SecretManager.vue - Secret management UI

Tests

  • New: src/backend/utils/encryption.test.ts - Comprehensive encryption service tests

API Endpoints

Create/Update Secrets

POST /secrets/:subdomain
Body: { secrets: { key: value }, token: string, provider: string }

List Secret Keys

GET /secrets/:subdomain?token={jwt}&provider={provider}
Response: { keys: string[], hasSecrets: boolean, keysCount: number }

Delete Secrets

DELETE /secrets/:subdomain
Body: { token: string, provider: string }

Environment Variables

Required (for secrets feature)

  • SECRET_MASTER_KEY: Master encryption key (32+ characters)

Database Collections

New Collections

  • project_secrets: Encrypted secrets with IV and authentication tags
  • volume_metadata: Volume tracking information

Required Setup

  1. Set SECRET_MASTER_KEY in backend .env file (minimum 32 characters)
  2. Restart backend container to initialize encryption service
  3. MongoDB collections will be created automatically on first use

Testing

Run tests:

deno test src/backend/utils/encryption.test.ts --allow-all

Closes #45

@officiallyutso
feat: add REST API endpoints for secret management
ac2868a 
- Add POST /secrets/:subdomain endpoint for creating/updating secrets
- Add GET /secrets/:subdomain endpoint for listing secret keys
- Add DELETE /secrets/:subdomain endpoint for deleting secrets
- Initialize encryption service on server startup
- Validate request payloads and enforce authorization
- Never expose decrypted secret values in API responses
@officiallyutso
feat: integrate persistent volumes and encrypted secrets into deployment
08caec3 
- Create Docker volumes automatically for each project deployment
- Decrypt secrets in-memory and inject at container runtime
- Mount volumes at /app/data inside containers
- Merge secrets with regular env vars (secrets take precedence)
- Clean up volumes when projects are deleted
- Maintain backward compatibility with existing deployments
@officiallyutso
chore: adds testing to gitignore and backend env update
c09b904
@officiallyutso
feat: add AES-256-GCM encryption service for secret management
199e6c8
@officiallyutso
feat: add database functions and authorization for secrets and volumes
5dece85 
- Add MongoDB functions for project secrets CRUD operations
- Add volume metadata tracking functions
- Implement authorization helpers for project access verification
- Add volume management shell script for Docker operations
- Store encrypted secrets with IV and authentication tags
@officiallyutso officiallyutso added the enhancement New feature or request label Nov 2, 2025
@officiallyutso
Copy link
Member Author

officiallyutso commented Dec 3, 2025

Any updates on #51 @raj210809 @opbot-xd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Abhijna-Raghavendra Abhijna-Raghavendra Awaiting requested review from Abhijna-Raghavendra

@opbot-xd opbot-xd Awaiting requested review from opbot-xd

@raj210809 raj210809 Awaiting requested review from raj210809

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Volumes and Secrets management

1 participant

@officiallyutso