.

Author: CBenoit

devolutions-gateway/src/api/preflight.rs

@@ -337,17 +337,8 @@ async fn handle_operation(
                 });
             }
 
-            // Encrypt passwords before storing.
-            let encrypted_mapping = mapping.map(|m| m.encrypt()).transpose().map_err(|e| {
-                error!(error = format!("{e:#}"), "Failed to encrypt credentials");
-                PreflightError::new(
-                    PreflightAlertStatus::InternalServerError,
-                    "credential encryption failed",
-                )
-            })?;
-
             let previous_entry = credential_store
-                .insert(token, encrypted_mapping, time_to_live)
+                .insert(token, mapping, time_to_live)
                 .inspect_err(|error| warn!(%operation.id, error = format!("{error:#}"), "Failed to insert credentials"))
                 .map_err(|e| PreflightError::new(PreflightAlertStatus::InternalServerError, format!("{e:#}")))?;
 

devolutions-gateway/src/credential/mod.rs

@@ -45,9 +45,10 @@ pub struct AppCredentialMapping {
     pub target: AppCredential,
 }
 
-/// Cleartext credential wrapper used only for deserialization.
+/// Cleartext credential received from the API, used for deserialization only.
 ///
-/// This type is converted to `AppCredential` (with encrypted password) immediately after deserialization.
+/// Passwords are encrypted and stored as [`AppCredential`] inside the credential store.
+/// This type is never stored directly — hand it to [`CredentialStoreHandle::insert`].
 #[derive(Debug, Deserialize)]
 #[serde(tag = "kind")]
 pub enum CleartextAppCredential {
@@ -59,8 +60,7 @@ pub enum CleartextAppCredential {
 }
 
 impl CleartextAppCredential {
-    /// Encrypt the password and convert to storage-ready `AppCredential`.
-    pub fn encrypt(self) -> anyhow::Result<AppCredential> {
+    fn encrypt(self) -> anyhow::Result<AppCredential> {
         match self {
             CleartextAppCredential::UsernamePassword { username, password } => {
                 let encrypted = MASTER_KEY.lock().encrypt(password.expose_secret())?;
@@ -73,9 +73,9 @@ impl CleartextAppCredential {
     }
 }
 
-/// Cleartext credential mapping wrapper used only for deserialization.
+/// Cleartext credential mapping received from the API, used for deserialization only.
 ///
-/// This type is converted to `AppCredentialMapping` (with encrypted passwords) immediately after deserialization.
+/// Passwords are encrypted on write. Hand this directly to [`CredentialStoreHandle::insert`].
 #[derive(Debug, Deserialize)]
 pub struct CleartextAppCredentialMapping {
     #[serde(rename = "proxy_credential")]
@@ -85,8 +85,7 @@ pub struct CleartextAppCredentialMapping {
 }
 
 impl CleartextAppCredentialMapping {
-    /// Encrypt passwords and convert to storage-ready `AppCredentialMapping`.
-    pub fn encrypt(self) -> anyhow::Result<AppCredentialMapping> {
+    fn encrypt(self) -> anyhow::Result<AppCredentialMapping> {
         Ok(AppCredentialMapping {
             proxy: self.proxy.encrypt()?,
             target: self.target.encrypt()?,
@@ -111,9 +110,10 @@ impl CredentialStoreHandle {
     pub fn insert(
         &self,
         token: String,
-        mapping: Option<AppCredentialMapping>,
+        mapping: Option<CleartextAppCredentialMapping>,
         time_to_live: time::Duration,
     ) -> anyhow::Result<Option<ArcCredentialEntry>> {
+        let mapping = mapping.map(CleartextAppCredentialMapping::encrypt).transpose()?;
         self.0.lock().insert(token, mapping, time_to_live)
     }
 

devolutions-gateway/src/rdp_proxy.rs

@@ -412,7 +412,8 @@ where
         username,
         password: decrypted_password.expose_secret().to_owned(),
     };
-    // decrypted_password drops here, zeroizing memory.
+    // decrypted_password drops here, zeroizing its buffer; note: a copy of the plaintext
+    // remains in `credentials` above, which is a regular String (downstream API limitation).
 
     let (mut sequence, mut ts_request) = ironrdp_connector::credssp::CredsspSequence::init(
         credentials,
@@ -572,7 +573,8 @@ where
             username,
             password: decrypted_password.expose_secret().to_owned().into(),
         };
-        // decrypted_password drops here, zeroizing memory.
+        // decrypted_password drops here, zeroizing its buffer; note: a copy of the plaintext
+        // remains in `identity` above (downstream API limitation).
 
         let mut sequence = ironrdp_acceptor::credssp::CredsspSequence::init(
             &identity,