Security: Implement token encryption for file-based storage #34
Description
Description
As identified in PR #32 review, the current file-based token storage implementation uses proper file permissions but lacks encryption at rest. This could be enhanced for better security.
Current State
- Tokens are stored in plain JSON files (.esologs_token.json)
- File permissions provide basic protection
- No encryption at rest
Proposed Solution
- Add optional encryption using the
cryptographylibrary - Integrate with OS keychains using the
keyringlibrary - Provide configuration option to enable/disable encryption
- Maintain backward compatibility with existing token files
Implementation Ideas
# Optional encryption wrapper
class EncryptedTokenStorage:
def __init__(self, key_source='environment'):
self.cipher = self._initialize_cipher(key_source)
def save_token(self, token, filepath):
encrypted_data = self.cipher.encrypt(json.dumps(token))
# Save encrypted data
def load_token(self, filepath):
# Load and decryptBenefits
- Enhanced security for stored credentials
- Compliance with security best practices
- Optional feature maintains simplicity for development
Considerations
- Should be opt-in to avoid breaking existing workflows
- Clear documentation on key management
- Performance impact should be minimal
References
- PR Release v0.2.0b1 - First Beta Release #32 review feedback
- Security best practices for credential storage