Skip to content

fix(security): remove storekey=insecure encryption bypass #1496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bbopen wants to merge 1 commit into from
Closed

fix(security): remove storekey=insecure encryption bypass #1496

bbopen wants to merge 1 commit into from

Conversation

@bbopen
Copy link
Contributor

@bbopen bbopen commented Dec 30, 2025
edited
Loading

Summary

  • Removes the storekey=insecure option that bypassed encryption
  • All data is now encrypted by default
  • Tests updated to verify rejection or use proper encryption

Changes

  • ensureKeyFromUrl() returns error for storekey=insecure
  • keyedCryptoFactory() throws for storekey=insecure
  • Removed unused noCrypto and nullCodec classes
  • Updated tests to use behavior-based assertions instead of exact CID checks

Test plan

  • Tests verify insecure mode is rejected with helpful error
  • Existing tests updated to use encryption
  • pnpm format passes
  • pnpm lint passes
  • pnpm test passes (128 files, 1775 tests)
  • pnpm build passes

Breaking Change

The storekey=insecure URL parameter is no longer supported. Remove it from any URLs to use automatic key generation.

Fixes ROBUST-03

Summary by CodeRabbit

  • Bug Fixes
    • Enforced encryption requirement by rejecting unencrypted storage configuration. The system now rejects attempts to use unencrypted data storage and requires all data to be encrypted, returning a clear error message when unencrypted storage is requested.

✏️ Tip: You can customize this high-level summary in your review settings.

@bbopen
fix(security): remove storekey=insecure encryption bypass
d149362 
BREAKING CHANGE: The storekey=insecure option is no longer supported.
All data is now encrypted by default. Remove storekey=insecure from
any URLs to use automatic key generation.

- Reject insecure mode in ensureKeyFromUrl() and keyedCryptoFactory()
- Update tests to verify rejection or use encryption
- Fixes ROBUST-03
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 30, 2025
edited
Loading

Walkthrough

This PR enforces data encryption by rejecting storekey=insecure mode across the codebase. A new ensureKeyFromUrl() method in KeyBag validates keys and explicitly rejects insecure configurations. The keyedCryptoFactory is refactored to require encryption and throw errors for missing or insecure store keys. All tests are updated to expect rejections when using insecure keys or to use valid store keys instead.

Changes

Cohort / File(s) Summary
Core encryption enforcement
core/keybag/key-bag.ts, core/runtime/keyed-crypto.ts		 Added ensureKeyFromUrl() method to validate keys and reject storekey=insecure with descriptive error. Refactored keyedCryptoFactory to enforce encryption requirement, remove fallback to unencrypted mode, and reject missing or insecure store keys.
Test updates for insecure key rejection
core/tests/blockstore/keyed-crypto-indexeddb-file.test.ts		 Rewrote test expectations from accepting insecure store keys to asserting rejection with error message containing "storekey=insecure is no longer supported".
KeyedCryptoStore test refactoring
core/tests/blockstore/keyed-crypto.test.ts		 Renamed "no crypto" test to "rejects insecure storekey" and updated subsequent tests to use valid store keys ("test-create-key", "test-key-ref", "test-direct-key") instead of "insecure".
Store parameter cleanup
core/tests/blockstore/standalone.test.ts		 Removed PARAM.STORE_KEY=insecure from URI constructions in peer-log and LedgerOpts data store URIs.
Memory storage and validation updates
core/tests/fireproof/attachable.test.ts, core/tests/fireproof/stable-cid.test.ts		 Replaced insecure memory base with encrypted storage. Relaxed carLog and memory gateway assertions to validate structure rather than exact contents. Removed insecure storekey test factory from parameterized tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • mabels

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main security change: removing the insecure storekey encryption bypass, which aligns perfectly with the changeset's primary objective of enforcing encryption across all data.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mabels
Copy link
Contributor

mabels commented Jan 5, 2026

hi, we want to keep this for now --- for debugging. It has to be enabled explicitly.
In the next architecture, the encryption is moved from the current core into the gateway implementation, and then the responsibility is pushed to the gateway implementation.

@mabels mabels closed this Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bbopen @mabels