Problem or motivation
Currently the security model is exposed to disk theft.
Proposed solution
The current LocalFileCrypto could evolve to:
- Generate a random DEK (as now), store it wrapped under either a fixed KEK or an Argon2id-derived KEK
- Optionally accept a passphrase (or AUTHSOME_MASTER_PASSWORD env var) to derive the KEK
- Wipe the KEK from memory after unwrapping
Alternatives considered
No response
Area
Storage / encryption
Additional context
No response
Problem or motivation
Currently the security model is exposed to disk theft.
Proposed solution
The current LocalFileCrypto could evolve to:
Alternatives considered
No response
Area
Storage / encryption
Additional context
No response