Add optional local data encryption with data.bin vault#5
Open
spotco wants to merge 4 commits into
Open
Conversation
Author
Owner
|
Thanks @spotco ! Do you mind if I push a couple of minor amendments and then prompt you to take a look? Broadly though, looking good |
Author
|
yep, go ahead 👍 |
added 3 commits
May 31, 2026 13:58
- Raise vault KDF to 600k PBKDF2-SHA256 iterations (OWASP guidance) - Reject out-of-range iteration counts on load (unlock DoS guard) - Distinguish wrong-password from corrupted-vault errors via typed error kinds instead of string matching - Cache the derived key per session and restrict write-verification to migrate / password-change, so routine saves skip PBKDF2 - Share PBKDF2/AES-GCM primitives between the vault and 2FAS services - Fix off-by-one length guard that blocked decrypting empty payloads - Cancel pending debounced save during migrate / password change - Reopen the vault prompt on a failed unlock instead of clearing the unrelated 2FAS backup credential - Expand test coverage for unlock, error-kind, AAD-tamper and empty-plaintext paths
…lt-encryption # Conflicts: # lib/presentation/pages/dashboard_page.dart
- Remember when the user picks "Not Now" on the encryption migration prompt so it is not shown again on every launch - Store the choice in SharedPreferences and honour it on load - The manual "Encrypt Local Data" action remains available afterwards
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.





Adds optional encryption for local LibreOTP data by migrating plaintext
data.jsonstorage into an encrypteddata.binvault.This includes:
data.binoverdata.jsonwhen both exist