Skip to content

Migrate API key storage from plaintext NbPreferences to encrypted storage #90

Description

@sfloess

Part of #32: Security Hardening - API Key Storage and Input Sanitization

Scope

Replace plaintext API key storage in NbPreferences with encrypted storage using the NetBeans Keyring API or an equivalent secure mechanism.

What to do

  • Audit current API key storage across all 9 AI modules (find all NbPreferences.forModule(...) calls storing API keys)
  • Replace with org.netbeans.api.keyring.Keyring for secure storage
  • Implement a migration path: on first launch after upgrade, read existing plaintext keys, store them in keyring, and remove plaintext entries
  • Ensure the settings UI reads/writes keys via the keyring API
  • If Keyring API is not available on all platforms, provide a fallback with at-rest encryption (AES with a platform-derived key)

Acceptance criteria

  • API keys are never stored in plaintext in NbPreferences
  • Existing users' keys are migrated transparently on upgrade
  • Settings panels still allow viewing/editing API keys (masked input)
  • Keys are retrievable by the AI clients at runtime

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions