[GH-ISSUE #77] security: migrate encryption key derivation from SHA-256 to PBKDF2 #107

New issue

Open

opened 2026-03-07 19:27:46 +03:00 by kerem · 0 comments

kerem commented 2026-03-07 19:27:46 +03:00

Owner

Copy link

Originally created by @adminsyspro on GitHub (Mar 6, 2026).
Original GitHub issue: https://github.com/adminsyspro/proxcenter-ui/issues/77

Problem

The current encryption of secrets (Proxmox API tokens, SSH keys/passwords) uses a simple SHA-256 hash of APP_SECRET as the AES-256-GCM key. This is fast to brute-force if the database is compromised.

Expected

Use PBKDF2 or scrypt with a high iteration count to derive the encryption key from APP_SECRET, making brute-force attacks significantly harder.

Implementation notes

• Transparent migration required: existing encrypted values must be re-encrypted on first startup after the update
• Migration flow: decrypt with old SHA-256 key → re-encrypt with PBKDF2-derived key → store alongside a version marker
• Add a key_version or prefix to encrypted fields to distinguish old vs new format
• Must handle rollback scenario (keep old key derivation as fallback for reading)
• Affects: lib/encryption.ts (frontend), and any backend code that decrypts tokens

Priority

Critical — if the SQLite database is leaked, secrets are vulnerable to offline brute-force.

Originally created by @adminsyspro on GitHub (Mar 6, 2026). Original GitHub issue: https://github.com/adminsyspro/proxcenter-ui/issues/77 ## Problem The current encryption of secrets (Proxmox API tokens, SSH keys/passwords) uses a simple SHA-256 hash of `APP_SECRET` as the AES-256-GCM key. This is fast to brute-force if the database is compromised. ## Expected Use PBKDF2 or scrypt with a high iteration count to derive the encryption key from `APP_SECRET`, making brute-force attacks significantly harder. ## Implementation notes - **Transparent migration required**: existing encrypted values must be re-encrypted on first startup after the update - Migration flow: decrypt with old SHA-256 key → re-encrypt with PBKDF2-derived key → store alongside a version marker - Add a `key_version` or prefix to encrypted fields to distinguish old vs new format - Must handle rollback scenario (keep old key derivation as fallback for reading) - Affects: `lib/encryption.ts` (frontend), and any backend code that decrypts tokens ## Priority Critical — if the SQLite database is leaked, secrets are vulnerable to offline brute-force.

kerem added the

enhancement

label 2026-03-07 19:27:46 +03:00

kerem referenced this issue 2026-03-13 17:22:19 +03:00

[PR #107] build(deps): bump tar from 7.5.9 to 7.5.11 in /frontend #192

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/frontend/eslint-config-next-16.2.3

dependabot/npm_and_yarn/frontend/eslint-10.2.0

dependabot/npm_and_yarn/frontend/iconify/tools-5.0.11

dependabot/npm_and_yarn/frontend/mui/material-9.0.0

dependabot/npm_and_yarn/frontend/stylelint-17.7.0

dependabot/npm_and_yarn/frontend/types/node-25.6.0

dependabot/github_actions/softprops/action-gh-release-3

dependabot/npm_and_yarn/frontend/tailwindcss-4.2.2

dependabot/npm_and_yarn/frontend/tailwindcss/postcss-4.2.2

v1.3.5

latest

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.0

Labels

Clear labels   

bug

  

enhancement

  

feature-request

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

enhancement

feature-request

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/proxcenter-ui#107

No description provided.