Skip to content

🚀[Feature]: Vault-level encryption modes for Context module (Full, Partial, None) #103

New issue
New issue
Open
Open
🚀[Feature]: Vault-level encryption modes for Context module (Full, Partial, None)#103
@MariusStorhaug

Description

@MariusStorhaug
MariusStorhaug
opened on Sep 20, 2025

Description

Background

Currently, the Context module uses Sodium (libsodium) to encrypt all data stored in a context, including both secrets and non-sensitive configuration values. This ensures maximum security but creates overhead for non-secret values and can complicate interoperability and debugging.

Motivation

The new requirement is to allow vaults to specify their preferred encryption mode: "Full", "Partial", or "None". This enables fine-grained control per vault:

  • Full: Encrypt all context data in the vault
  • Partial: Encrypt only secrets (SecureString fields); other data in plaintext JSON
  • None: Store all context data in plaintext JSON

This will:

  • Improve performance and usability for non-sensitive data
  • Make debugging and interoperability easier
  • Maintain strong security for secrets when needed
  • Allow individual vaults to fit different security and performance needs

Proposed Design

  • Vaults will have a setting (EncryptionMode) with allowed values: "Full", "Partial", "None"
  • When storing a context object:
    • If "Full": All data encrypted as today
    • If "Partial": Only SecureString fields encrypted using Sodium; other fields plaintext JSON
    • If "None": All fields stored as plaintext JSON
    • The storage format should support backward compatibility for reading previously encrypted full-context files
  • Set-Context and Get-Context functions will be updated to:
    • Respect the vault's EncryptionMode when saving/loading
    • Continue to support vault isolation and per-vault key management
    • Store metadata in the context info describing how the context was persisted
    • When reading, use the persisted metadata to determine how to read the context; if not present, assume "Full" mode
    • Vault-level settings are changeable; the setting controls how contexts are written to disk going forward
  • Update documentation and developer guides to reflect the new behavior
  • Add tests for all encryption scenarios (Full, Partial, None) and mixed contexts
  • SecureString detection must continue to work recursively for deeply nested objects and arrays

Migration

  • Add a migration plan for existing vaults/contexts encrypted as a whole (support seamless reading, warn on write if format changes)
  • Allow vaults to upgrade or downgrade their encryption mode

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions