feat(dgw): encrypt in-memory credentials

Add ChaCha20-Poly1305 encryption for credentials stored in the
credential store. Passwords are encrypted at rest with a master key
protected via libsodium's mlock/mprotect facilities, preventing exposure
in memory dumps or swap.

Issue: DGW-326

Author: CBenoit

Cargo.lock

@@ -74,6 +74,10 @@ bitflags = "2.9"
 # Security, crypto…
 picky = { version = "7.0.0-rc.15", default-features = false, features = ["jose", "x509", "pkcs12", "time_conversion"] }
 zeroize = { version = "1.8", features = ["derive"] }
+chacha20poly1305 = "0.10"
+secrets = "1.2"
+secrecy = { version = "0.10", features = ["serde"] }
+rand = "0.8"
 multibase = "0.9"
 argon2 = { version = "0.5", features = ["std"] }
 x509-cert = { version = "0.2", default-features = false, features = ["std"] }

devolutions-gateway/Cargo.toml

@@ -11,7 +11,7 @@ use uuid::Uuid;
 
 use crate::DgwState;
 use crate::config::Conf;
-use crate::credential::{AppCredentialMapping, CredentialStoreHandle};
+use crate::credential::CredentialStoreHandle;
 use crate::extract::PreflightScope;
 use crate::http::HttpError;
 use crate::session::SessionMessageSender;
@@ -45,7 +45,7 @@ struct ProvisionTokenParams {
 struct ProvisionCredentialsParams {
     token: String,
     #[serde(flatten)]
-    mapping: AppCredentialMapping,
+    mapping: crate::credential::CleartextAppCredentialMapping,
     time_to_live: Option<u32>,
 }
 
@@ -337,10 +337,19 @@ async fn handle_operation(
                 });
             }
 
+            // Encrypt passwords before storing.
+            let encrypted_mapping = mapping.map(|m| m.encrypt()).transpose().map_err(|e| {
+                error!(error = format!("{e:#}"), "Failed to encrypt credentials");
+                PreflightError::new(
+                    PreflightAlertStatus::InternalServerError,
+                    "credential encryption failed",
+                )
+            })?;
+
             let previous_entry = credential_store
-                .insert(token, mapping, time_to_live)
+                .insert(token, encrypted_mapping, time_to_live)
                 .inspect_err(|error| warn!(%operation.id, error = format!("{error:#}"), "Failed to insert credentials"))
-                .map_err(|e| PreflightError::new(PreflightAlertStatus::InvalidParams, format!("{e:#}")))?;
+                .map_err(|e| PreflightError::new(PreflightAlertStatus::InternalServerError, format!("{e:#}")))?;
 
             if previous_entry.is_some() {
                 outputs.push(PreflightOutput {

devolutions-gateway/src/api/preflight.rs

@@ -9,6 +9,7 @@ use camino::{Utf8Path, Utf8PathBuf};
 use cfg_if::cfg_if;
 use picky::key::{PrivateKey, PublicKey};
 use picky::pem::Pem;
+use secrecy::SecretString;
 use tap::prelude::*;
 use tokio::sync::Notify;
 use tokio_rustls::rustls::pki_types;
@@ -17,7 +18,6 @@ use url::Url;
 use uuid::Uuid;
 
 use crate::SYSTEM_LOGGER;
-use crate::credential::Password;
 use crate::listener::ListenerUrls;
 use crate::target_addr::TargetAddr;
 use crate::token::Subkey;
@@ -216,7 +216,7 @@ pub enum WebAppAuth {
 pub struct WebAppUser {
     pub name: String,
     /// Hash of the password, in the PHC string format
-    pub password_hash: Password,
+    pub password_hash: SecretString,
 }
 
 /// AI Router configuration (experimental)
@@ -1243,7 +1243,7 @@ fn generate_self_signed_certificate(
 
 fn read_pfx_file(
     path: &Utf8Path,
-    password: Option<&Password>,
+    password: Option<&SecretString>,
 ) -> anyhow::Result<(
     Vec<pki_types::CertificateDer<'static>>,
     pki_types::PrivateKeyDer<'static>,
@@ -1627,7 +1627,7 @@ pub mod dto {
         pub tls_private_key_file: Option<Utf8PathBuf>,
         /// Password to use for decrypting the TLS private key
         #[serde(skip_serializing_if = "Option::is_none")]
-        pub tls_private_key_password: Option<Password>,
+        pub tls_private_key_password: Option<SecretString>,
         /// Subject name of the certificate to use for TLS
         #[serde(skip_serializing_if = "Option::is_none")]
         pub tls_certificate_subject_name: Option<String>,