Encrypt stored channel keys with machine identity

Channel keys saved to config files are now encrypted using the machine's identity (/etc/machine-id), so: - Not stored in plaintext - Tied to specific machine (can't copy file to another device) - Legacy plaintext keys still work (auto-detected) Changes: - Added _encrypt_for_storage() and _decrypt_from_storage() - set_channel_key() now encrypts before writing - get_channel_key() decrypts when reading (handles legacy plaintext) - Pi setup saves encrypted key to ~/.stegasoo/channel.key - CLI `stegasoo info` now shows channel status correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 23:54:23 -05:00
parent f971b75d7e
commit be8744179d
2 changed files with 89 additions and 6 deletions
--- a/rpi/setup.sh
+++ b/rpi/setup.sh
@@ -557,9 +557,15 @@ echo ""
 read -p "Generate a private channel key? [y/N] " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]; then
-    # Generate channel key using the CLI
-    CHANNEL_KEY=$($INSTALL_DIR/venv/bin/python -c "from stegasoo.channel import generate_channel_key; print(generate_channel_key())")
+    # Generate channel key and save encrypted to config
+    CHANNEL_KEY=$($INSTALL_DIR/venv/bin/python -c "
+from stegasoo.channel import generate_channel_key, set_channel_key
+key = generate_channel_key()
+set_channel_key(key, 'user')  # Saves encrypted to ~/.stegasoo/channel.key
+print(key)
+")
    echo -e "  ${GREEN}✓${NC} Channel key generated: ${YELLOW}$CHANNEL_KEY${NC}"
+    echo -e "  ${GREEN}✓${NC} Key saved (encrypted) to ~/.stegasoo/channel.key"
    echo ""
    echo -e "  ${RED}IMPORTANT: Save this key!${NC} You'll need to share it with anyone"
    echo "  who should be able to decode your images."