Files
GoblinPay/deploy
2ro b2e11ff1fe security: encrypt the wallet password at rest + deprecate inline secrets
Close the remaining "secrets touch a plaintext file" gap. The unattended
restart mode now SEALS the operator-chosen wallet password to the host with
`systemd-creds encrypt` (ciphertext at rest, read via LoadCredentialEncrypted,
decrypted into a tmpfs credentials dir at each start), so no plaintext wallet
key is written to disk. When systemd-creds is unavailable it falls back to the
legacy root-owned 0400 plaintext file with a loud warning, and re-running
`setup --reconfigure` once it is available upgrades to encryption.

- wizard: seal via systemd-creds (injectable for tests), write the
  encrypted.conf drop-in, keep the manual.conf tmpfs path unchanged;
  reconfiguring a till that keeps no readable password on disk (encrypted or
  manual) now prompts for the existing password to reopen the wallet.
- startup: loud deprecation warning when a money secret (GP_MNEMONIC,
  GP_WALLET_PASSWORD, GP_NSEC) is supplied INLINE rather than via a *_FILE or
  systemd credential; the value is never logged, only the variable name.
- docs: README, .env.example, install.sh, and the systemd unit updated to the
  encrypted-at-rest default and the honest fallback/trade-off.

Tests: gp-core config + gp-core/gp-server setup cover the inline-secret warning,
the encrypted drop-in, the sealed-vs-plaintext shapes, and encrypted
reconfigure. Full workspace suite green; fmt introduces no new drift; clippy
-D warnings clean on the workspace crates.
2026-07-06 20:17:52 -04:00
..
2026-07-03 03:22:43 -04:00