Skip to content

Session-Scoped Public/Private Key Encryption for Remote Secrets (MVP; Third-Party Encryptor) #147

New issue
New issue
Open
#149
Open
Session-Scoped Public/Private Key Encryption for Remote Secrets (MVP; Third-Party Encryptor)#147
#149
Assignees
copilot-swe-agent
@aaronsteers

Description

@aaronsteers
aaronsteers
opened on Oct 21, 2025

Summary
Add first-phase support for remote secret intake without exposing plaintext to the LLM or persisting plaintext on the server.
On MCP session start, generate a per-session keypair, expose the public key as a resource, and accept client-side-encrypted ciphertext in tool calls.
For this MVP, users will create ciphertext via a trusted third-party site (or an optional one-liner CLI), then paste the ciphertext into the MCP tool call.

🎯 Goals / Acceptance Criteria

  • On session init, server generates a per-session keypair and stores the private key in memory only, destroyed when the session ends or times out.
  • Expose the public key as a resource (e.g. mcp+session://{id}/secret-pubkey), including kid, alg, and encoding details.
  • Add tool input support for { ciphertext, kid, ... } (e.g. connectors.create_*_ephemeral({ ciphertext, kid, ... })).
  • Implement a decrypt-on-use flow: decrypt, use the secret in-process, zeroize buffers; no plaintext at rest.
  • Provide step-by-step user instructions:
    1. Copy the public key.
    2. Visit a trusted client-side encryption site.
    3. Paste their secret and encrypt it.
    4. Paste the resulting ciphertext into the MCP tool call.
  • Add a size limit (≤ 64 KB) and clear validation errors for malformed ciphertexts.
  • Security considerations: no logging, zeroization of buffers, plane separation for connector execution.
  • Add a small placeholder for algorithm (see below).
  • Feature-flag this functionality behind an env var (off by default).

⚙️ Algorithm (TBD)

  • Option A: JWE (RSA-OAEP-256 + A256GCM) via WebCrypto-friendly format.
  • Option B: libsodium sealed-box (X25519 + XChaCha20/XSalsa20-Poly1305).
  • Implementor will select based on simplicity and copy-paste friendliness.

🧪 Tests

  • Unit tests for key generation, decrypt path, size limits, kid mismatch, and invalid ciphertext handling.

🧰 Docs (for MVP)

  • Where to find the public-key resource.
  • Recommended third-party sites for encryption (client-side only).
  • Optional one-liner CLI (uvx/npx) for power users.

🚫 Non-Goals

  • Hosting our own encryption webapp (that’s Phase 2).
  • Durable secret storage (plaintext or ciphertext persistence).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions