Skip to content

Replace XOR stream cipher with AES-256-GCM#7

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/use-secure-encryption-scheme
Draft

Replace XOR stream cipher with AES-256-GCM#7
Copilot wants to merge 2 commits intomainfrom
copilot/use-secure-encryption-scheme

Conversation

Copy link
Contributor

Copilot AI commented Mar 22, 2026
edited
Loading

The XOR stream cipher used for PII encryption (usernames, emails, roles, activity/session descriptions) is trivially broken via known-plaintext attacks and provides no authentication.

Changes

  • encrypt() — replaced XOR keystream with AES-256-GCM; generates a fresh 96-bit os.urandom nonce per call. Output format: base64(nonce || ciphertext || 16-byte GCM tag).
  • decrypt() — authenticated decryption; any tampered nonce, ciphertext, or tag returns "[decryption error]" rather than corrupt plaintext.
  • Import — added from cryptography.hazmat.primitives.ciphers.aead import AESGCM.
  • Docstring — updated security model description; removed the XOR caveat.

Key derivation (_derive_key via SHA-256) and all call sites are unchanged — both functions keep their synchronous (str, str) → str signature.

# Before – deterministic keystream, no auth
def encrypt(plaintext, secret):
    key = _derive_key(secret)
    ks  = (key * (len(data) // len(key) + 1))[:len(data)]
    return base64.b64encode(bytes(a ^ b for a, b in zip(data, ks))).decode("ascii")

# After – random nonce, authenticated ciphertext
def encrypt(plaintext, secret):
    key    = _derive_key(secret)
    nonce  = os.urandom(12)
    aesgcm = AESGCM(key)
    ct     = aesgcm.encrypt(nonce, plaintext.encode("utf-8"), None)
    return base64.b64encode(nonce + ct).decode("ascii")

Note: existing rows encrypted with XOR will fail authentication after this change. A one-time re-seed or migration is required for any deployed database.

Original prompt

This section details on the original issue you should resolve

<issue_title>Use a secure encryption scheme</issue_title>
<issue_description>Currently, the repository uses an XOR-based scheme with a fixed key derived from a secret. This approach is not secure and can be vulnerable to attacks (e.g., known-plaintext attacks).

I noticed that the code already mentions replacing this with a more robust encryption scheme (e.g., AES-GCM) at a later stage. However, I thought it might be useful to track this as an issue.

I’d be happy to work on this if you think it’s worth addressing at this stage.</issue_description>

Comments on the Issue (you are @copilot in this section)

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

@cloudflare-workers-and-pages
Copy link
Contributor

cloudflare-workers-and-pages bot commented Mar 22, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 learn f5a4628 Mar 22 2026, 05:16 PM

Copilot AI changed the title [WIP] Update encryption scheme to use AES-GCM Replace XOR stream cipher with AES-256-GCM Mar 22, 2026
Copilot AI requested a review from A1L13N March 22, 2026 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@A1L13N A1L13N Awaiting requested review from A1L13N

Assignees

@A1L13N A1L13N

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use a secure encryption scheme

2 participants

@A1L13N