wraith

vstockwell/wraith

Fork 0

Commit Graph

Author	SHA1	Message	Date
Vantz Stockwell	b11efce6ed	feat(security): Argon2id key derivation for vault encryption BREAKING CHANGE (forward-only): New credentials/keys encrypted with v2 (Argon2id-derived AES-256-GCM). Existing v1 records decrypt transparently. - Argon2id params: 64 MiB memory, 3 iterations, 4 parallelism (OWASP) - Per-record 16-byte salt stored in ciphertext format - v2 format: v2:<salt>:<iv>:<authTag>:<ciphertext> - Backwards compatible: v1 records still decrypt with raw key - Admin endpoint POST /api/credentials/migrate-v2 upgrades all v1→v2 - Added docs/FUTURE-FEATURES.md with remaining spec gaps Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-14 13:40:41 -04:00

Author

SHA1

Message

Date

Vantz Stockwell

b11efce6ed

feat(security): Argon2id key derivation for vault encryption

BREAKING CHANGE (forward-only): New credentials/keys encrypted with v2
(Argon2id-derived AES-256-GCM). Existing v1 records decrypt transparently.

- Argon2id params: 64 MiB memory, 3 iterations, 4 parallelism (OWASP)
- Per-record 16-byte salt stored in ciphertext format
- v2 format: v2:<salt>:<iv>:<authTag>:<ciphertext>
- Backwards compatible: v1 records still decrypt with raw key
- Admin endpoint POST /api/credentials/migrate-v2 upgrades all v1→v2
- Added docs/FUTURE-FEATURES.md with remaining spec gaps

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-14 13:40:41 -04:00

1 Commits