Expand description
Optional encryption-at-rest for sensitive fields (currently camera credentials), keyed by
HELDAR_SECRET_KEY.
- No key configured (the LAN-appliance default, and the open-source default): values are stored and served as plaintext — behaviour is unchanged.
- Key configured (production): new writes are AES-256-GCM sealed (
enc:v1:+ base64 ofnonce ‖ ciphertext+tag); reads transparently decrypt both sealed and legacy-plaintext values.
The key is process-global immutable config: init_key is called once at startup (before any
camera URL is built), and the camera_url builder reads it via decrypt_stored. A sealed value
encountered with no/wrong key is a hard error — the kernel never feeds ciphertext to ffmpeg.
Functions§
- decrypt
- Decrypt a stored value with an explicit key. A value without the
enc:v1:prefix is returned as-is (legacy plaintext). A sealed value withNone/wrong key is an error (never serve ciphertext). - decrypt_
stored - Decrypt a stored value using the process key (legacy-plaintext passthrough; sealed-without-key errors).
- enabled
- Whether encryption-at-rest is active for this process.
- encrypt
- Seal
plaintextwith an explicit key.Nonereturns the plaintext unchanged. - encrypt_
for_ storage - Seal
plaintextfor storage using the process key (plaintext passthrough when no key is set). - init_
key - Decode + validate
HELDAR_SECRET_KEY(base64 of 32 bytes) and install it process-wide. Call once at startup.None/empty disables encryption (plaintext at rest). Errors on a malformed key so a misconfigured master key fails loud at boot rather than silently disabling encryption. - is_
encrypted - Is this stored value already sealed?
- reencrypt_
camera_ passwords - One-time migration: when a key is configured, seal any legacy-plaintext camera passwords. Idempotent (skips already-sealed rows). Returns how many rows were re-encrypted. No-op when no key is set.