BaihuBaihu
Security

encrypted secrets

ChaCha20-Poly1305 AEAD with CSPRNG and DPAPI

how it works

API keys in config are never stored as plaintext. the encryption pipeline:

  1. key generation — 256-bit key from OS CSPRNG (not UUID)
  2. encryption — ChaCha20-Poly1305 AEAD with fresh random nonce per operation
  3. integrity — Poly1305 MAC tag prevents tampering
  4. storage — encrypted values stored with enc2: prefix in config.toml
  5. key protection — secret key file at ~/.baihu/.secret_key with 0600 permissions

windows DPAPI

on windows, the secret key file itself is envelope-encrypted with DPAPI, bound to your windows login session. even if someone reads the file, they get ciphertext that only decrypts under your user account.

zeroize

key material is wrapped in Zeroizing<Vec<u8>> so it's overwritten with zeros when dropped. no secret data lingers in memory after use.

legacy migration

secrets encrypted with the old XOR cipher (enc: prefix) are automatically migrated to ChaCha20 (enc2:) on decrypt. the old format is deprecated.

testing

cargo test --lib -- security::secrets

concurrency

structured concurrency with JoinSet, parking_lot, and DashMap

gateway pairing

OTP authentication with brute force protection

On this page

how it workswindows DPAPIzeroizelegacy migrationtesting