Skip to content

Add optional local data encryption with data.bin vault#5

Open
spotco wants to merge 4 commits into
henricook:mainfrom
spotco:pr/optional-local-vault-encryption
Open

Add optional local data encryption with data.bin vault#5
spotco wants to merge 4 commits into
henricook:mainfrom
spotco:pr/optional-local-vault-encryption

Conversation

@spotco

@spotco spotco commented May 31, 2026

Copy link
Copy Markdown

Adds optional encryption for local LibreOTP data by migrating plaintext data.json storage into an encrypted data.bin vault.

This includes:

  • AES-GCM encrypted local vault support using PBKDF2-HMAC-SHA256 key derivation
  • Prefer data.bin over data.json when both exist
  • Prompt to migrate existing plaintext local data into the encrypted vault
  • Password dialogs for creating, unlocking, and changing the vault password
  • Loading overlays while encrypted data is being unlocked, encrypted, or re-saved
  • Tests for vault encryption, storage behavior, password dialogs, and state transitions

@spotco

spotco commented May 31, 2026

Copy link
Copy Markdown
Author

On load with plaintext json, prompts to encrypt local json (into a data.bin).
image

Prompts for password on encrypt.
image

On loading an encrypted vault, prompts for password.
image

(Password prompt)
image

And passwords on visible upon entering correct password!
image

data.bin (as opposed to data.json) is stored at:
C:\Users<USERNAME>\AppData\Roaming\com.henricook\LibreOTP\

@henricook

henricook commented May 31, 2026

Copy link
Copy Markdown
Owner

Thanks @spotco ! Do you mind if I push a couple of minor amendments and then prompt you to take a look? Broadly though, looking good

@spotco

spotco commented May 31, 2026

Copy link
Copy Markdown
Author

yep, go ahead 👍

Henri Cook added 3 commits May 31, 2026 13:58
- Raise vault KDF to 600k PBKDF2-SHA256 iterations (OWASP guidance)
- Reject out-of-range iteration counts on load (unlock DoS guard)
- Distinguish wrong-password from corrupted-vault errors via typed
  error kinds instead of string matching
- Cache the derived key per session and restrict write-verification
  to migrate / password-change, so routine saves skip PBKDF2
- Share PBKDF2/AES-GCM primitives between the vault and 2FAS services
- Fix off-by-one length guard that blocked decrypting empty payloads
- Cancel pending debounced save during migrate / password change
- Reopen the vault prompt on a failed unlock instead of clearing the
  unrelated 2FAS backup credential
- Expand test coverage for unlock, error-kind, AAD-tamper and
  empty-plaintext paths
…lt-encryption

# Conflicts:
#	lib/presentation/pages/dashboard_page.dart
- Remember when the user picks "Not Now" on the encryption migration
  prompt so it is not shown again on every launch
- Store the choice in SharedPreferences and honour it on load
- The manual "Encrypt Local Data" action remains available afterwards
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants