Encrypt Nano-GPT API Keys

Author: 0xGingi

.env.example

@@ -9,6 +9,12 @@ BETTER_AUTH_URL=http://localhost:3432
 # Trusted Origins (comma-separated list of URLs)
 BETTER_AUTH_TRUSTED_ORIGINS=
 
+# Encryption key for API keys in the database
+# Generate a secure random string (at least 32 characters)
+# You can generate one with: openssl rand -base64 32
+# IMPORTANT: Keep this key secure and never change it, or all encrypted API keys will be lost
+ENCRYPTION_KEY=
+
 NANOGPT_API_KEY=
 
 # Artificial Analysis API key for model benchmarks (optional)

README.md

@@ -175,6 +175,16 @@ Generate videos using NanoGPT's video models:
 | `BETTER_AUTH_SECRET`         | Authentication secret                                   |
 | `BETTER_AUTH_URL`            | Base URL for authentication                             |
 | `ARTIFICIAL_ANALYSIS_API_KEY`| (Optional) API key for model benchmarks from artificialanalysis.ai |
+| `ENCRYPTION_KEY`             | (Optional) Encryption key for API keys at rest. Generate with `openssl rand -base64 32` |
+
+### API Key Encryption
+
+The application supports encrypting API keys stored in the database using AES-256-GCM:
+
+- **Optional**: The app works without `ENCRYPTION_KEY` (keys stored in plain text)
+- **Recommended**: Set `ENCRYPTION_KEY` to encrypt all API keys at rest
+- **Migration**: Run `bun run scripts/migrate-encrypt-api-keys.ts` to encrypt existing keys
+- **Details**: See [`scripts/README-API-KEY-ENCRYPTION.md`](scripts/README-API-KEY-ENCRYPTION.md)
 
 ---
 

api-docs.md

@@ -169,6 +169,7 @@ List active API keys for the current user.
   ]
 }
 ```
+**Note**: The actual key value is never returned in list responses.
 
 #### POST `/api/api-keys`
 Create a new API key.
@@ -191,6 +192,7 @@ Create a new API key.
   "createdAt": "date"
 }
 ```
+**Note**: The key is returned only during creation. Save it securely - it cannot be retrieved again. Keys are stored encrypted in the database using AES-256-GCM.
 
 #### DELETE `/api/api-keys`
 Revoke an API key.

scripts/README-API-KEY-ENCRYPTION.md

@@ -0,0 +1,162 @@
+# API Key Encryption Migration
+
+This guide explains how to encrypt all API keys in your database using AES-256-GCM encryption.
+
+## Overview
+
+The application now encrypts all API keys (both user-added provider keys and application-generated API keys) before storing them in the database. This provides an additional layer of security in case your database is compromised.
+
+### What Gets Encrypted?
+
+1. **User Provider Keys** (`user_keys` table): NanoGPT, OpenAI, Anthropic, and HuggingFace API keys that users add in their account settings
+2. **Application API Keys** (`api_keys` table): Developer API keys generated for programmatic access (format: `nc_...`)
+
+### Encryption Details
+
+- **Algorithm**: AES-256-GCM (industry standard, widely supported, hardware accelerated)
+- **Key Derivation**: scrypt with N=16384, r=8, p=1 (~64MB memory)
+- **Key Source**: `ENCRYPTION_KEY` environment variable
+- **Format**: VERSION | SALT | IV | ENCRYPTED_DATA | AUTH_TAG (base64-encoded)
+
+## Prerequisites
+
+1. **Backup your database** - This is critical!
+   ```bash
+   cp data/nanochat.db data/nanochat.db.backup
+   ```
+
+2. **Generate an encryption key** (if you haven't already):
+   ```bash
+   openssl rand -base64 32
+   ```
+
+3. **Set the ENCRYPTION_KEY environment variable** in your `.env` file:
+   ```bash
+   ENCRYPTION_KEY=your-generated-key-here
+   ```
+
+   ⚠️ **IMPORTANT**: Keep this key safe and never change it, or all encrypted API keys will be permanently lost!
+
+## Migration Steps
+
+### Option 1: Run the Migration Script (Recommended)
+
+The migration script will encrypt all existing API keys in your database:
+
+1. **Ensure the application is NOT being used** (stop the server)
+2. **Set the ENCRYPTION_KEY** environment variable
+3. **Run the migration script**:
+   ```bash
+   bun run scripts/migrate-encrypt-api-keys.ts
+   ```
+
+The script will:
+- Show you all keys it's about to encrypt
+- Wait 5 seconds (press Ctrl+C to cancel)
+- Encrypt all unencrypted keys
+- Skip keys that are already encrypted
+- Show a summary when complete
+
+### Option 2: Let New Keys Be Encrypted (No Migration)
+
+If you prefer not to encrypt existing keys:
+- New keys will automatically be encrypted when added
+- Existing unencrypted keys will continue to work (the app detects and handles both)
+- You can run the migration script later if desired
+
+### Option 3: Skip Encryption Entirely (Graceful Degradation)
+
+The application supports running without encryption for compatibility:
+
+- **Without `ENCRYPTION_KEY` set**: API keys are stored in plain text (like before)
+- A warning is logged on startup: `⚠️ ENCRYPTION_KEY not set. API keys will be stored in plain text.`
+- The application continues to work normally
+- You can enable encryption later by setting `ENCRYPTION_KEY` and running the migration script
+
+## Verification
+
+After migration, you can verify encryption worked by checking the database:
+
+```bash
+# For SQLite
+sqlite3 data/nanochat.db "SELECT key FROM user_keys LIMIT 5;"
+sqlite3 data/nanochat.db "SELECT key FROM api_keys LIMIT 5;"
+```
+
+Encrypted keys will be long base64 strings (150+ characters), while unencrypted keys are shorter.
+
+## How It Works
+
+### Key Storage Flow
+
+1. **When a user adds an API key**:
+   - The key is received via the API
+   - Immediately encrypted using `encryptApiKey()`
+   - Stored in the database in encrypted form
+
+2. **When an API key is needed**:
+   - Retrieved from database (encrypted)
+   - Decrypted using `decryptApiKey()`
+   - Used for API calls
+   - Never returned to the client (masked instead)
+
+3. **For legacy unencrypted keys**:
+   - The `isEncrypted()` helper detects encryption
+   - Unencrypted keys are used as-is
+   - This allows gradual migration
+
+### Security Considerations
+
+✅ **What encryption protects against**:
+- Database dumps/file exposure
+- SQL injection attacks that expose the database
+- Backup database access
+
+❌ **What encryption does NOT protect against**:
+- Application server compromise (the key is in memory during use)
+- Environment variable exposure on the server
+- Process debugging/memory dumps
+
+### Best Practices
+
+1. **Never commit the ENCRYPTION_KEY to version control**
+2. **Rotate the encryption key** (requires special handling - not yet implemented)
+3. **Use strong environment variable security** in production
+4. **Keep backups** before any migration
+5. **Document the key location** for disaster recovery
+
+## Troubleshooting
+
+### "ENCRYPTION_KEY environment variable is not set"
+
+**Solution**: Add the ENCRYPTION_KEY to your `.env` file:
+```bash
+ENCRYPTION_KEY=$(openssl rand -base64 32)
+```
+
+### "ENCRYPTION_KEY must be at least 32 characters"
+
+**Solution**: Generate a longer key:
+```bash
+openssl rand -base64 32
+```
+
+### Keys stopped working after migration
+
+**Solution**: This likely means the ENCRYPTION_KEY used during migration is different from the one the application is using. Either:
+- Restore from backup and migrate again with the correct key
+- Ensure the same ENCRYPTION_KEY is set in all environments
+
+## Rollback
+
+If you need to rollback:
+
+1. Stop the application
+2. Restore your database backup:
+   ```bash
+   cp data/nanochat.db.backup data/nanochat.db
+   ```
+3. Remove or comment out the `ENCRYPTION_KEY` from your `.env` file
+4. Restart the application
+
+Note: This will revert to storing API keys in plain text.

scripts/migrate-encrypt-api-keys.ts

@@ -0,0 +1,152 @@
+#!/usr/bin/env tsx
+/**
+ * Migration script to encrypt all existing API keys in the database
+ *
+ * This script will:
+ * 1. Read all unencrypted API keys from user_keys and api_keys tables
+ * 2. Encrypt them using the new encryption utilities
+ * 3. Update the database with the encrypted values
+ *
+ * IMPORTANT:
+ * - This script should be run AFTER setting the ENCRYPTION_KEY environment variable
+ * - This should be run when the application is NOT being used
+ * - BACKUP YOUR DATABASE BEFORE RUNNING THIS SCRIPT
+ * - This operation is NOT reversible (unless you have a backup)
+ */
+
+import { db } from '../src/lib/db/index.js';
+import { userKeys, apiKeys } from '../src/lib/db/schema.js';
+import { eq } from 'drizzle-orm';
+import { encryptApiKey, isEncrypted } from '../src/lib/encryption.js';
+
+async function migrateUserKeys() {
+	console.log('\n🔐 Migrating user_keys table...');
+
+	try {
+		const keys = await db.select().from(userKeys).all();
+
+		console.log(`   Found ${keys.length} user keys`);
+
+		let encryptedCount = 0;
+		let skippedCount = 0;
+
+		for (const key of keys) {
+			// Skip if already encrypted
+			if (isEncrypted(key.key)) {
+				skippedCount++;
+				console.log(`   ⏭️  Skipping key ${key.id} (already encrypted)`);
+				continue;
+			}
+
+			try {
+				const encrypted = encryptApiKey(key.key);
+
+				await db
+					.update(userKeys)
+					.set({ key: encrypted })
+					.where(eq(userKeys.id, key.id))
+					.run();
+
+				encryptedCount++;
+				console.log(`   ✅ Encrypted key ${key.id} for provider ${key.provider}`);
+			} catch (error) {
+				console.error(`   ❌ Failed to encrypt key ${key.id}:`, error);
+			}
+		}
+
+		console.log(`   ✅ User keys migration complete: ${encryptedCount} encrypted, ${skippedCount} skipped`);
+	} catch (error) {
+		console.error('   ❌ Failed to migrate user keys:', error);
+		throw error;
+	}
+}
+
+async function migrateApiKeys() {
+	console.log('\n🔐 Migrating api_keys table...');
+
+	try {
+		const keys = await db.select().from(apiKeys).all();
+
+		console.log(`   Found ${keys.length} API keys`);
+
+		let encryptedCount = 0;
+		let skippedCount = 0;
+
+		for (const key of keys) {
+			// Skip if already encrypted
+			if (isEncrypted(key.key)) {
+				skippedCount++;
+				console.log(`   ⏭️  Skipping key ${key.id} (already encrypted)`);
+				continue;
+			}
+
+			try {
+				const encrypted = encryptApiKey(key.key);
+
+				await db
+					.update(apiKeys)
+					.set({ key: encrypted })
+					.where(eq(apiKeys.id, key.id))
+					.run();
+
+				encryptedCount++;
+				console.log(`   ✅ Encrypted key ${key.id} (${key.name})`);
+			} catch (error) {
+				console.error(`   ❌ Failed to encrypt key ${key.id}:`, error);
+			}
+		}
+
+		console.log(`   ✅ API keys migration complete: ${encryptedCount} encrypted, ${skippedCount} skipped`);
+	} catch (error) {
+		console.error('   ❌ Failed to migrate API keys:', error);
+		throw error;
+	}
+}
+
+async function main() {
+	console.log('==================================================');
+	console.log('  API Key Encryption Migration Script');
+	console.log('==================================================');
+
+	// Check if ENCRYPTION_KEY is set
+	if (!process.env.ENCRYPTION_KEY) {
+		console.error('\n❌ ERROR: ENCRYPTION_KEY environment variable is not set!');
+		console.error('Please set it before running this script:\n');
+		console.error('  export ENCRYPTION_KEY="$(openssl rand -base64 32)"\n');
+		process.exit(1);
+	}
+
+	if (process.env.ENCRYPTION_KEY.length < 32) {
+		console.error('\n❌ ERROR: ENCRYPTION_KEY must be at least 32 characters long!');
+		process.exit(1);
+	}
+
+	console.log('\n⚠️  WARNING: This will encrypt all API keys in your database.');
+	console.log('⚠️  Make sure you have backed up your database before proceeding!');
+
+	// Give user time to read and cancel
+	console.log('\n⏳ Starting migration in 5 seconds... Press Ctrl+C to cancel.\n');
+	await new Promise((resolve) => setTimeout(resolve, 5000));
+
+	try {
+		await migrateUserKeys();
+		await migrateApiKeys();
+
+		console.log('\n✨ Migration completed successfully!');
+		console.log('\n📝 Summary:');
+		console.log('   - All API keys have been encrypted in the database');
+		console.log('   - The application will automatically decrypt keys when needed');
+		console.log('   - Keep your ENCRYPTION_KEY safe and secure!');
+		console.log('   - DO NOT lose or change the ENCRYPTION_KEY!\n');
+
+		process.exit(0);
+	} catch (error) {
+		console.error('\n❌ Migration failed:', error);
+		console.error('\n⚠️  Some keys may have been encrypted while others were not.');
+		console.error('⚠️  Please restore from backup and investigate the error before retrying.\n');
+		process.exit(1);
+	}
+}
+
+// Run the migration
+main();