Skip to content

Secrets storage to be used in subscriptions #187

New issue
New issue
Open
Feature
Open
Secrets storage to be used in subscriptions#187
Feature
Labels
serverIssues related to the server🧐 analysisTask that needs research and investigation
@mfornos

Description

@mfornos
mfornos
opened on Nov 28, 2025

We will use envelope encryption to store per-subscription secrets safely while keeping the system lightweight.

Keys

Data Encryption Key (DEK)

  • One DEK generated per subscription.
  • Used to encrypt the subscription’s secret with AES-256-GCM.
  • The encrypted secret (ciphertext + auth tag + nonce) is stored in the database.

Key Encryption Key (KEK)

  • A single long-lived server key stored locally (env var / file with permissions).
  • Used to encrypt each DEK with AES-256-GCM.
  • Only the wrapped DEK is stored in the database, never the plaintext DEK.

Nonces / IVs

We will use random 96-bit (12-byte) nonces, generated independently for both KEK and DEK encryption.

Schema / Payload

  • Top-level secrets field on subscription input. Users pass secrets on creation only.
  • Secrets will never be returned, even encrypted to client requests. We can return a list of secret names only.

NOTE
We avoid external vault infrastructure, as it would introduce unnecessary complexity at this stage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    serverIssues related to the server🧐 analysisTask that needs research and investigation

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions