refactor(dgw): simplify aead error mapping in credential crypto by Copilot · Pull Request #1693 · Devolutions/devolutions-gateway

Copilot · 2026-02-26T11:08:29Z

aead::Error is a unit struct that does not implement std::error::Error, making .context() inapplicable. Simplifies the two AEAD error sites to drop the unused binding since the type carries no diagnostic information.

Changes:

encrypt / decrypt: map_err(|e| anyhow::anyhow!("...: {e}")) → map_err(|_| anyhow::anyhow!("..."))
.context() is already used where applicable (e.g., String::from_utf8 on the decrypted bytes)

// Before
cipher.encrypt(&nonce, plaintext.as_bytes())
    .map_err(|e| anyhow::anyhow!("encryption failed: {e}"))?;

// After
cipher.encrypt(&nonce, plaintext.as_bytes())
    .map_err(|_| anyhow::anyhow!("encryption failed"))?;

Issue: #1689

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Add ChaCha20-Poly1305 encryption for credentials stored in the credential store. Passwords are encrypted at rest with a master key protected via libsodium's mlock/mprotect facilities, preventing exposure in memory dumps or swap. Issue: DGW-326

#1690)

Co-authored-by: CBenoit <3809077+CBenoit@users.noreply.github.com>

Benoît Cortier (CBenoit) and others added 7 commits February 25, 2026 12:41

feat(dgw): encrypt in-memory credentials

55c81d2

Add ChaCha20-Poly1305 encryption for credentials stored in the credential store. Passwords are encrypted at rest with a master key protected via libsodium's mlock/mprotect facilities, preventing exposure in memory dumps or swap. Issue: DGW-326

.

162f609

.

5124a4c

fix(dgw): address reviewer feedback on in-memory credential encryption (

c10ad70

#1690)

feat(dgw): make libsodium (secrets) an optional mlock feature (#1691)

8bd9835

refactor(dgw): use secrecy::SecretString for decrypted passwords (#1692)

bada7f5

Initial plan

664317b

Copilot AI assigned Copilot and Benoît Cortier (CBenoit) Feb 26, 2026

Copilot AI mentioned this pull request Feb 26, 2026

feat(dgw): encrypt in-memory credentials with optional mlock protection #1689

Open

Copilot started work on behalf of Benoît Cortier (CBenoit) February 26, 2026 11:08 View session

refactor(dgw): simplify aead error handling in credential crypto

49d64ca

Co-authored-by: CBenoit <3809077+CBenoit@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Address feedback on using anyhow::Context for error handling~~ refactor(dgw): simplify aead error mapping in credential crypto Feb 26, 2026

Copilot finished work on behalf of Benoît Cortier (CBenoit) February 26, 2026 11:19

Benoît Cortier (CBenoit) force-pushed the DGW-326 branch from bada7f5 to d8fc305 Compare February 27, 2026 14:37

Benoît Cortier (CBenoit) closed this Feb 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor(dgw): simplify aead error mapping in credential crypto#1693

refactor(dgw): simplify aead error mapping in credential crypto#1693
Copilot wants to merge 8 commits intoDGW-326from
copilot/sub-pr-1689

Copilot AI commented Feb 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Feb 26, 2026 •

edited

Loading