Encrypt HybridFileBackedSqlStorage with Android Keystore#3646
Draft
avazirna wants to merge 8 commits intoencrypt-form-submissions-with-keystorefrom
Draft
Encrypt HybridFileBackedSqlStorage with Android Keystore#3646avazirna wants to merge 8 commits intoencrypt-form-submissions-with-keystorefrom
avazirna wants to merge 8 commits intoencrypt-form-submissions-with-keystorefrom
Conversation
Replace per-record derived AES key with CommCareKeyManager.generateLegacyKeyOrEmpty() so new large records use the Android Keystore key when available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add usesKeystoreEncryption() helper and update getOutputFileStream() to use Keystore encryption when AES key is empty. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Test write, read, and filesystem-to-database migration with the mock Keystore provider registered to exercise the Keystore path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Product Description
No user-facing changes. This is an internal security enhancement that extends Android Keystore encryption to the
HybridFileBackedSqlStoragelayer, which stores fixtures and other file-backed data.Technical Summary
Extends the Keystore encryption work from
encrypt-form-submissions-with-keystoreto coverHybridFileBackedSqlStorage. New records are encrypted using the Android Keystore key (viaCommCareKeyManager), while existing records encrypted with legacy per-record AES keys continue to be readable.Key changes:
HybridFileBackedSqlStorage: branch read/write/output-stream paths for Keystore vs legacy encryption based on whether the stored AES key is emptyCommCareKeyManager: add@VisibleForTestingtest override for session key to enable unit testing without a real KeystoreEncryptionIO: remove unusedSecretKeySpecimportFormUploadUtil: remove deadgetDecryptCiphermethods (cipher creation now centralized inEncryptionIO)HybridFileBackedSqlStorageKeystoreTestwith round-trip write/read, new record write, and filesystem-to-DB migration testsFeature Flag
Gated by
AndroidKeyStore.isKeystoreAvailable()— only activates on devices with hardware-backed Keystore support.Safety Assurance
Safety story
aesKeyBytes == null || aesKeyBytes.length == 0) cleanly distinguishes Keystore-encrypted records from legacy ones without schema changesAutomated test coverage
HybridFileBackedSqlStorageKeystoreTest: 3 tests covering Keystore-encrypted write+read, new record creation, and filesystem↔DB migration round-tripsQA Plan
TRACE_FILE_ENCRYPTION_TIMEtraces for Keystore vs legacy performanceLabels and Review