Skip to content

feat: encrypt WLAN secrets at rest, add decrypt keyword#95

Merged
ravinald merged 1 commit into
mainfrom
feat/encrypt-wlan-secrets-at-rest
Jun 16, 2026
Merged

feat: encrypt WLAN secrets at rest, add decrypt keyword#95
ravinald merged 1 commit into
mainfrom
feat/encrypt-wlan-secrets-at-rest

Conversation

@ravinald

Copy link
Copy Markdown
Owner

Summary

Refresh now captures WLAN PSK/RADIUS secrets and encrypts them (enc:, AES-256-GCM) before writing the cache, so secrets never sit on disk in the clear; the password comes from WIFIMGR_PASSWORD or a one-time prompt. Meraki needs a per-SSID GET to obtain the PSK (the list endpoint omits it); Mist stops discarding it. Import gains a decrypt keyword — secrets masks as *secret*, decrypt reveals plaintext, a wrong password falls back to the mask. Verified: refreshed MX-MEX-904EN (Meraki) — cache PSKs stored enc:, secrets masks, decrypt returns plaintext; full suite + lint clean.

Refresh now captures PSK/RADIUS secrets and encrypts them (enc:) before
writing the cache, resolving the password from WIFIMGR_PASSWORD or a prompt.
Meraki needs a per-SSID GET to obtain the PSK; Mist stops discarding it. The
import commands gain a decrypt keyword: secrets masks as *secret*, decrypt
reveals plaintext.
@ravinald ravinald merged commit 68d6cc9 into main Jun 16, 2026
5 checks passed
@ravinald ravinald deleted the feat/encrypt-wlan-secrets-at-rest branch June 16, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant