feat(dgw): encrypt in-memory credentials with optional mlock protection

.github/workflows/ci.yml

@@ -618,17 +618,8 @@ jobs:
 
       - name: Configure Linux runner
         if: ${{ matrix.os == 'linux' }}
-        run: |
-          sudo apt-get update
-          sudo apt-get -o Acquire::Retries=3 install python3-wget python3-setuptools libsystemd-dev dh-make
-
-      - name: Configure Linux (arm) runner
-        if: ${{ matrix.os == 'linux' && matrix.arch == 'arm64' }}
-        run: |
-          sudo dpkg --add-architecture arm64
-          sudo apt-get -o Acquire::Retries=3 install -qy binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu g++-aarch64-linux-gnu qemu-user
-          rustup target add aarch64-unknown-linux-gnu
-          echo "STRIP_EXECUTABLE=aarch64-linux-gnu-strip" >> $GITHUB_ENV
+        run: ./ci/setup-linux-build-deps.ps1 -Architecture ${{ matrix.arch }} -InstallLibsodium
+        shell: pwsh
 
       - name: Install fpm
         if: ${{ matrix.os == 'Linux' }}
@@ -663,6 +654,19 @@ jobs:
           Write-Output "windows_sdk_ver_bin_path=$path" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
         shell: pwsh
 
+      - name: Enable mlock for production
+        # On Linux, libsodium-dev is installed in the configure steps above (in the script).
+        # On Windows, libsodium is installed here via vcpkg (deferred to production to avoid slow builds on PRs).
+        if: ${{ needs.preflight.outputs.rust-profile == 'production' }}
+        run: |
+          if ($Env:RUNNER_OS -eq "Windows") {
+            # Install libsodium via vcpkg for the mlock feature (requires static library)
+            vcpkg install libsodium:x64-windows-static
+            echo "VCPKG_ROOT=$Env:VCPKG_INSTALLATION_ROOT" >> $Env:GITHUB_ENV
+          }
+          echo "CARGO_FEATURES=mlock" >> $Env:GITHUB_ENV
+        shell: pwsh
+
       - name: Build
         run: |
           if ($Env:RUNNER_OS -eq "Linux") {
@@ -871,17 +875,8 @@ jobs:
 
       - name: Configure Linux runner
         if: ${{ matrix.os == 'linux' }}
-        run: |
-          sudo apt-get update
-          sudo apt-get -o Acquire::Retries=3 install python3-wget python3-setuptools libsystemd-dev dh-make
-
-      - name: Configure Linux (arm) runner
-        if: ${{ matrix.os == 'linux' && matrix.arch == 'arm64' }}
-        run: |
-          sudo dpkg --add-architecture arm64
-          sudo apt-get -o Acquire::Retries=3 install -qy binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu g++-aarch64-linux-gnu qemu-user
-          rustup target add aarch64-unknown-linux-gnu
-          echo "STRIP_EXECUTABLE=aarch64-linux-gnu-strip" >> $GITHUB_ENV
+        run: ./ci/setup-linux-build-deps.ps1 -Architecture ${{ matrix.arch }}
+        shell: pwsh
 
       - name: Install fpm
         if: ${{ matrix.os == 'Linux' }}

README.md

@@ -20,12 +20,24 @@ immediately, without going through the acceptance testing process of our quality
 
 ### From sources
 
-Ensure that you have [the Rust toolchain installed][install_rust], then clone this repository and run:
+Ensure that you have [the Rust toolchain installed][install_rust] and then clone this repository and run:
 
 ```shell
 cargo install --path ./devolutions-gateway
 ```
 
+To enable enhanced in-memory credential protection (mlock via libsodium), build with the `mlock` feature:
+
+```shell
+cargo install --path ./devolutions-gateway --features mlock
+```
+
+> **Note:** The `mlock` feature requires [libsodium][libsodium] to be installed.
+> On Windows, it is found automatically via vcpkg.
+> On Linux and macOS, install it using your system package manager (e.g., `apt install libsodium-dev` or `brew install libsodium`).
+> Production builds should always include the `mlock` feature.
+> Without it, a startup warning is emitted in release builds.
+
 ## Configuration
 
 Devolutions Gateway is configured using a JSON document.
@@ -339,6 +351,7 @@ See the dedicated [README.md file](./.github/workflows/README.md) in the `workfl
 [official_website]: https://devolutions.net/gateway/download/
 [github_release]: https://github.com/Devolutions/devolutions-gateway/releases
 [install_rust]: https://www.rust-lang.org/tools/install
+[libsodium]: https://libsodium.org/
 [psmodule]: https://www.powershellgallery.com/packages/DevolutionsGateway/
 [rustls]: https://crates.io/crates/rustls
 [microsoft_tls]: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

ci/setup-linux-build-deps.ps1

@@ -0,0 +1,91 @@
+#!/usr/bin/env pwsh
+
+param(
+    [Parameter(Mandatory = $true)]
+    [ValidateSet('x86_64', 'arm64')]
+    [string] $Architecture,
+
+    [switch] $InstallLibsodium
+)
+
+$ErrorActionPreference = 'Stop'
+
+function Get-OsReleaseValue {
+    param(
+        [Parameter(Mandatory = $true)]
+        [string] $Name
+    )
+
+    $match = Get-Content '/etc/os-release' | Select-String -Pattern "^${Name}=(.*)$" | Select-Object -First 1
+    if (-not $match) {
+        throw "missing ${Name} in /etc/os-release"
+    }
+
+    return $match.Matches[0].Groups[1].Value.Trim('"')
+}
+
+function Set-UbuntuMultiarchSources {
+    $versionCodename = Get-OsReleaseValue -Name 'VERSION_CODENAME'
+    $sourcesFile = '/etc/apt/sources.list.d/ubuntu-multiarch.sources'
+    $tempFile = [System.IO.Path]::GetTempFileName()
+
+    @"
+Types: deb
+Architectures: amd64
+URIs: http://archive.ubuntu.com/ubuntu/
+Suites: $versionCodename $($versionCodename)-updates $($versionCodename)-backports
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+
+Types: deb
+Architectures: amd64
+URIs: http://security.ubuntu.com/ubuntu/
+Suites: $($versionCodename)-security
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+
+Types: deb
+Architectures: arm64
+URIs: http://ports.ubuntu.com/ubuntu-ports/
+Suites: $versionCodename $($versionCodename)-updates $($versionCodename)-backports $($versionCodename)-security
+Components: main restricted universe multiverse
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
+"@ | Set-Content -Path $tempFile -NoNewline
+
+    try {
+        & sudo rm -f '/etc/apt/sources.list.d/ubuntu.sources' '/etc/apt/sources.list'
+        & sudo install -m 644 $tempFile $sourcesFile
+    } finally {
+        Remove-Item -Path $tempFile -Force -ErrorAction SilentlyContinue
+    }
+}
+
+$packages = @(
+    'python3-wget',
+    'python3-setuptools',
+    'libsystemd-dev',
+    'dh-make'
+)
+
+if ($Architecture -eq 'arm64') {
+    & sudo dpkg --add-architecture arm64
+    Set-UbuntuMultiarchSources
+    $packages += @(
+        'binutils-aarch64-linux-gnu',
+        'gcc-aarch64-linux-gnu',
+        'g++-aarch64-linux-gnu',
+        'qemu-user'
+    )
+}
+
+if ($InstallLibsodium) {
+    $packages += if ($Architecture -eq 'arm64') { 'libsodium-dev:arm64' } else { 'libsodium-dev' }
+}
+
+& sudo apt-get update
+& sudo apt-get '-o' 'Acquire::Retries=3' 'install' '-qy' @packages
+
+if ($Architecture -eq 'arm64') {
+    & rustup target add aarch64-unknown-linux-gnu
+    Add-Content -Path $Env:GITHUB_ENV -Value 'STRIP_EXECUTABLE=aarch64-linux-gnu-strip'
+}