feat(security): add end-to-end encryption for sensitive data

## Summary
Add comprehensive encryption system to protect private keys and API secrets.

## Core Components
- `crypto/encryption.go`: RSA-4096 + AES-256-GCM encryption manager
- `crypto/secure_storage.go`: Database encryption layer + audit logs
- `crypto/aliyun_kms.go`: Optional Aliyun KMS integration
- `api/crypto_handler.go`: Encryption API endpoints
- `web/src/lib/crypto.ts`: Frontend two-stage encryption
- `scripts/migrate_encryption.go`: Data migration tool
- `deploy_encryption.sh`: One-click deployment

## Security Architecture
```
Frontend: Two-stage input + clipboard obfuscation
    ↓
Transport: RSA-4096 + AES-256-GCM hybrid encryption
    ↓
Storage: Database encryption + audit logs
```

## Features
 Zero breaking changes (backward compatible)
 Automatic migration of existing data
 <25ms overhead per operation
 Complete audit trail
 Optional cloud KMS support

## Migration
```bash
./deploy_encryption.sh  # 5 minutes, zero downtime
```

## Testing
```bash
go test ./crypto -v
```

Related-To: security-enhancement
This commit is contained in:
ZhouYongyou
2025-11-06 21:01:47 +08:00
parent 66bfccbd9b
commit 4caf34d329
9 changed files with 2113 additions and 0 deletions

286
deploy_encryption.sh Executable file
View File

@@ -0,0 +1,286 @@
#!/bin/bash
# NOFX 加密系統一鍵部署腳本
# 使用方式: chmod +x deploy_encryption.sh && ./deploy_encryption.sh
set -e # 遇到錯誤立即退出
# 顏色定義
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# 輔助函數
log_info() {
echo -e "${BLUE} $1${NC}"
}
log_success() {
echo -e "${GREEN}$1${NC}"
}
log_warning() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
log_error() {
echo -e "${RED}$1${NC}"
}
# 檢查必要工具
check_dependencies() {
log_info "檢查依賴工具..."
if ! command -v go &> /dev/null; then
log_error "Go 未安裝,請先安裝 Go 1.21+"
exit 1
fi
if ! command -v npm &> /dev/null; then
log_error "npm 未安裝,請先安裝 Node.js 18+"
exit 1
fi
if ! command -v sqlite3 &> /dev/null; then
log_warning "sqlite3 未安裝,部分驗證功能不可用"
fi
log_success "依賴檢查通過"
}
# 備份數據庫
backup_database() {
log_info "備份現有數據庫..."
if [ -f "config.db" ]; then
BACKUP_FILE="config.db.pre_encryption.$(date +%Y%m%d_%H%M%S).backup"
cp config.db "$BACKUP_FILE"
log_success "數據庫已備份到: $BACKUP_FILE"
else
log_warning "未找到 config.db跳過備份首次安裝"
fi
}
# 創建密鑰目錄
setup_secrets_dir() {
log_info "設置密鑰目錄..."
if [ ! -d ".secrets" ]; then
mkdir -p .secrets
chmod 700 .secrets
log_success "密鑰目錄已創建: .secrets/"
else
log_warning "密鑰目錄已存在,跳過創建"
fi
}
# 更新 .gitignore
update_gitignore() {
log_info "更新 .gitignore..."
if ! grep -q ".secrets/" .gitignore 2>/dev/null; then
echo ".secrets/" >> .gitignore
log_success "已添加 .secrets/ 到 .gitignore"
fi
if ! grep -q "config.db.backup" .gitignore 2>/dev/null; then
echo "config.db.*.backup" >> .gitignore
log_success "已添加備份檔案規則到 .gitignore"
fi
}
# 安裝依賴
install_dependencies() {
log_info "安裝 Go 依賴..."
go mod tidy
log_success "Go 依賴已更新"
log_info "安裝前端依賴..."
cd web
if [ ! -d "node_modules" ]; then
npm install
fi
npm install tweetnacl tweetnacl-util @noble/secp256k1 --save
cd ..
log_success "前端依賴已安裝"
}
# 運行測試
run_tests() {
log_info "運行加密系統測試..."
if go test ./crypto -v > /tmp/nofx_test.log 2>&1; then
log_success "加密系統測試通過"
cat /tmp/nofx_test.log | grep "✅"
else
log_error "加密系統測試失敗,詳情:"
cat /tmp/nofx_test.log
exit 1
fi
}
# 遷移數據
migrate_data() {
log_info "遷移現有數據到加密格式..."
if [ -f "config.db" ]; then
# 檢查是否已經加密過
if sqlite3 config.db "SELECT api_key FROM exchanges LIMIT 1;" 2>/dev/null | grep -q "=="; then
log_warning "數據庫似乎已經加密過,跳過遷移"
read -p "是否強制重新遷移?(y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
return
fi
fi
if go run scripts/migrate_encryption.go; then
log_success "數據遷移完成"
else
log_error "數據遷移失敗"
exit 1
fi
else
log_warning "未找到數據庫,跳過遷移"
fi
}
# 設置環境變數
setup_env_vars() {
log_info "設置環境變數..."
if [ -f ".secrets/master.key" ]; then
MASTER_KEY=$(cat .secrets/master.key)
# 添加到當前 shell 配置
SHELL_RC="$HOME/.bashrc"
if [ -f "$HOME/.zshrc" ]; then
SHELL_RC="$HOME/.zshrc"
fi
if ! grep -q "NOFX_MASTER_KEY" "$SHELL_RC" 2>/dev/null; then
echo "" >> "$SHELL_RC"
echo "# NOFX 加密系統主密鑰" >> "$SHELL_RC"
echo "export NOFX_MASTER_KEY='$MASTER_KEY'" >> "$SHELL_RC"
log_success "主密鑰已添加到 $SHELL_RC"
else
log_warning "主密鑰已存在於 $SHELL_RC"
fi
# 導出到當前 session
export NOFX_MASTER_KEY="$MASTER_KEY"
log_success "主密鑰已導出到當前 session"
else
log_warning "主密鑰文件未生成,請先運行應用初始化"
fi
}
# 驗證部署
verify_deployment() {
log_info "驗證部署結果..."
# 1. 檢查密鑰檔案
if [ -f ".secrets/rsa_private.pem" ] && [ -f ".secrets/rsa_public.pem" ] && [ -f ".secrets/master.key" ]; then
log_success "密鑰檔案完整"
else
log_error "密鑰檔案缺失,請檢查日誌"
return 1
fi
# 2. 檢查檔案權限
PERM=$(stat -f "%Lp" .secrets 2>/dev/null || stat -c "%a" .secrets 2>/dev/null)
if [ "$PERM" = "700" ]; then
log_success "密鑰目錄權限正確 (700)"
else
log_warning "密鑰目錄權限為 $PERM,建議修改為 700"
chmod 700 .secrets
fi
# 3. 檢查資料庫加密
if [ -f "config.db" ] && command -v sqlite3 &> /dev/null; then
SAMPLE=$(sqlite3 config.db "SELECT api_key FROM exchanges WHERE api_key != '' LIMIT 1;" 2>/dev/null || echo "")
if echo "$SAMPLE" | grep -q "=="; then
log_success "數據庫密鑰已加密Base64 格式)"
else
log_warning "數據庫可能未加密或無數據"
fi
fi
log_success "部署驗證通過"
}
# 打印後續步驟
print_next_steps() {
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo -e "${GREEN}🎉 加密系統部署成功!${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
echo "📝 後續步驟:"
echo ""
echo " 1⃣ 啟動後端服務:"
echo " $ go run main.go"
echo ""
echo " 2⃣ 啟動前端服務:"
echo " $ cd web && npm run dev"
echo ""
echo " 3⃣ 驗證加密功能:"
echo " $ curl http://localhost:8080/api/crypto/public-key"
echo ""
echo " 4⃣ 查看審計日誌:"
echo " $ sqlite3 config.db 'SELECT * FROM audit_logs ORDER BY timestamp DESC LIMIT 10;'"
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
echo "⚠️ 重要提醒:"
echo ""
echo " • 請妥善保管 .secrets/ 目錄(已設置為 700 權限)"
echo " • 生產環境務必使用環境變數管理主密鑰"
echo " • 定期執行密鑰輪換(建議每季度一次)"
echo " • 數據庫備份已保存,驗證無誤後可手動刪除"
echo ""
echo "📚 詳細文檔:"
echo " - 快速開始: cat SECURITY_QUICKSTART.md"
echo " - 完整指南: cat ENCRYPTION_DEPLOYMENT.md"
echo ""
}
# 主函數
main() {
echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo -e "${BLUE}🔐 NOFX 加密系統部署腳本${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# 確認執行
log_warning "此腳本將:"
echo " 1. 備份現有數據庫"
echo " 2. 生成 RSA-4096 密鑰對"
echo " 3. 生成 AES-256 主密鑰"
echo " 4. 遷移現有數據到加密格式"
echo " 5. 設置環境變數"
echo ""
read -p "是否繼續?(y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log_info "已取消部署"
exit 0
fi
# 執行部署步驟
check_dependencies
backup_database
setup_secrets_dir
update_gitignore
install_dependencies
run_tests
migrate_data
setup_env_vars
verify_deployment
print_next_steps
}
# 執行主函數
main