MindWorkAI/AI-Studio
MindWorkAI/AI-Studio
1
0
Fork 0
mirror of https://github.com/MindWorkAI/AI-Studio.git synced 2026-02-12 07:01:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added enterprise encryption support for API key handling in config files

Browse Source
This commit is contained in:
Thorsten Sommer 2026-02-05 21:03:12 +01:00
parent 31597c9242
commit a91a5c85a2
Signed by untrusted user who does not match committer: tsommer
GPG Key ID: 371BBA77A02C0108
17 changed files with 690 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
app/MindWork AI Studio/Components/Settings/SettingsPanelEmbeddings.razor.cs
View File

@ -1,5 +1,6 @@
using AIStudio.Dialogs; using AIStudio.Dialogs;
using AIStudio.Settings; using AIStudio.Settings;
using AIStudio.Tools.PluginSystem;
using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.Components;
@ -120,7 +121,39 @@ public partial class SettingsPanelEmbeddings : SettingsPanelBase
if (provider == EmbeddingProvider.NONE) if (provider == EmbeddingProvider.NONE)
return; return;
var luaCode = provider.ExportAsConfigurationSection(); string? encryptedApiKey = null;
// Check if the provider has an API key stored:
var apiKeyResponse = await this.RustService.GetAPIKey(provider, SecretStoreType.EMBEDDING_PROVIDER, isTrying: true);
if (apiKeyResponse.Success)
{
// Ask the user if they want to export the API key:
var dialogParameters = new DialogParameters<ConfirmDialog>
{
{ x => x.Message, T("This provider has an API key configured. Do you want to include the encrypted API key in the export? Note: The recipient will need the same encryption secret to use the API key.") },
};
var dialogReference = await this.DialogService.ShowAsync<ConfirmDialog>(T("Export API Key?"), dialogParameters, DialogOptions.FULLSCREEN);
var dialogResult = await dialogReference.Result;
if (dialogResult is { Canceled: false })
{
// User wants to export the API key - encrypt it:
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
var decryptedApiKey = await apiKeyResponse.Secret.Decrypt(Program.ENCRYPTION);
if (encryption.TryEncrypt(decryptedApiKey, out var encrypted))
encryptedApiKey = encrypted;
}
else
{
// No encryption secret available - inform the user:
this.Snackbar.Add(T("Cannot export encrypted API key: No enterprise encryption secret is configured."), Severity.Warning);
}
}
}
var luaCode = provider.ExportAsConfigurationSection(encryptedApiKey);
if (string.IsNullOrWhiteSpace(luaCode)) if (string.IsNullOrWhiteSpace(luaCode))
return; return;

35
app/MindWork AI Studio/Components/Settings/SettingsPanelProviders.razor.cs
View File

@ -3,6 +3,7 @@ using System.Diagnostics.CodeAnalysis;
using AIStudio.Dialogs; using AIStudio.Dialogs;
using AIStudio.Provider; using AIStudio.Provider;
using AIStudio.Settings; using AIStudio.Settings;
using AIStudio.Tools.PluginSystem;
using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.Components;
@ -139,7 +140,39 @@ public partial class SettingsPanelProviders : SettingsPanelBase
if (provider == AIStudio.Settings.Provider.NONE) if (provider == AIStudio.Settings.Provider.NONE)
return; return;
var luaCode = provider.ExportAsConfigurationSection(); string? encryptedApiKey = null;
// Check if the provider has an API key stored:
var apiKeyResponse = await this.RustService.GetAPIKey(provider, SecretStoreType.LLM_PROVIDER, isTrying: true);
if (apiKeyResponse.Success)
{
// Ask the user if they want to export the API key:
var dialogParameters = new DialogParameters<ConfirmDialog>
{
{ x => x.Message, T("This provider has an API key configured. Do you want to include the encrypted API key in the export? Note: The recipient will need the same encryption secret to use the API key.") },
};
var dialogReference = await this.DialogService.ShowAsync<ConfirmDialog>(T("Export API Key?"), dialogParameters, DialogOptions.FULLSCREEN);
var dialogResult = await dialogReference.Result;
if (dialogResult is { Canceled: false })
{
// User wants to export the API key - encrypt it:
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
var decryptedApiKey = await apiKeyResponse.Secret.Decrypt(Program.ENCRYPTION);
if (encryption.TryEncrypt(decryptedApiKey, out var encrypted))
encryptedApiKey = encrypted;
}
else
{
// No encryption secret available - inform the user:
this.Snackbar.Add(T("Cannot export encrypted API key: No enterprise encryption secret is configured."), Severity.Warning);
}
}
}
var luaCode = provider.ExportAsConfigurationSection(encryptedApiKey);
if (string.IsNullOrWhiteSpace(luaCode)) if (string.IsNullOrWhiteSpace(luaCode))
return; return;

35
app/MindWork AI Studio/Components/Settings/SettingsPanelTranscription.razor.cs
View File

@ -1,5 +1,6 @@
using AIStudio.Dialogs; using AIStudio.Dialogs;
using AIStudio.Settings; using AIStudio.Settings;
using AIStudio.Tools.PluginSystem;
using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.Components;
@ -120,7 +121,39 @@ public partial class SettingsPanelTranscription : SettingsPanelBase
if (provider == TranscriptionProvider.NONE) if (provider == TranscriptionProvider.NONE)
return; return;
var luaCode = provider.ExportAsConfigurationSection(); string? encryptedApiKey = null;
// Check if the provider has an API key stored:
var apiKeyResponse = await this.RustService.GetAPIKey(provider, SecretStoreType.TRANSCRIPTION_PROVIDER, isTrying: true);
if (apiKeyResponse.Success)
{
// Ask the user if they want to export the API key:
var dialogParameters = new DialogParameters<ConfirmDialog>
{
{ x => x.Message, T("This provider has an API key configured. Do you want to include the encrypted API key in the export? Note: The recipient will need the same encryption secret to use the API key.") },
};
var dialogReference = await this.DialogService.ShowAsync<ConfirmDialog>(T("Export API Key?"), dialogParameters, DialogOptions.FULLSCREEN);
var dialogResult = await dialogReference.Result;
if (dialogResult is { Canceled: false })
{
// User wants to export the API key - encrypt it:
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
var decryptedApiKey = await apiKeyResponse.Secret.Decrypt(Program.ENCRYPTION);
if (encryption.TryEncrypt(decryptedApiKey, out var encrypted))
encryptedApiKey = encrypted;
}
else
{
// No encryption secret available - inform the user:
this.Snackbar.Add(T("Cannot export encrypted API key: No enterprise encryption secret is configured."), Severity.Warning);
}
}
}
var luaCode = provider.ExportAsConfigurationSection(encryptedApiKey);
if (string.IsNullOrWhiteSpace(luaCode)) if (string.IsNullOrWhiteSpace(luaCode))
return; return;

3
app/MindWork AI Studio/Layout/MainLayout.razor.cs
View File

@ -215,6 +215,9 @@ public partial class MainLayout : LayoutComponentBase, IMessageBusReceiver, ILan
if (enterpriseEnvironment != default) if (enterpriseEnvironment != default)
await PluginFactory.TryDownloadingConfigPluginAsync(enterpriseEnvironment.ConfigurationId, enterpriseEnvironment.ConfigurationServerUrl); await PluginFactory.TryDownloadingConfigPluginAsync(enterpriseEnvironment.ConfigurationId, enterpriseEnvironment.ConfigurationServerUrl);
// Initialize the enterprise encryption service for decrypting API keys:
await PluginFactory.InitializeEnterpriseEncryption(this.RustService);
// Load (but not start) all plugins without waiting for them: // Load (but not start) all plugins without waiting for them:
#if DEBUG #if DEBUG
var pluginLoadingTimeout = new CancellationTokenSource(); var pluginLoadingTimeout = new CancellationTokenSource();

18
app/MindWork AI Studio/Plugins/configuration/plugin.lua
View File

@ -68,6 +68,16 @@ CONFIG["LLM_PROVIDERS"] = {}
-- -- Optional: Hugging Face inference provider. Only relevant for UsedLLMProvider = HUGGINGFACE. -- -- Optional: Hugging Face inference provider. Only relevant for UsedLLMProvider = HUGGINGFACE.
-- -- Allowed values are: CEREBRAS, NEBIUS_AI_STUDIO, SAMBANOVA, NOVITA, HYPERBOLIC, TOGETHER_AI, FIREWORKS, HF_INFERENCE_API -- -- Allowed values are: CEREBRAS, NEBIUS_AI_STUDIO, SAMBANOVA, NOVITA, HYPERBOLIC, TOGETHER_AI, FIREWORKS, HF_INFERENCE_API
-- -- ["HFInferenceProvider"] = "NOVITA", -- -- ["HFInferenceProvider"] = "NOVITA",
--
-- -- Optional: Encrypted API key for cloud providers or secured on-premise models.
-- -- The API key must be encrypted using the enterprise encryption secret.
-- -- Format: "ENC:v1:<base64-encoded encrypted data>"
-- -- The encryption secret must be configured via:
-- -- Windows Registry: HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\config_encryption_secret
-- -- Environment variable: MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET
-- -- You can export an encrypted API key from an existing provider using the export button in the settings.
-- -- ["APIKey"] = "ENC:v1:<base64-encoded encrypted data>",
--
-- ["Model"] = { -- ["Model"] = {
-- ["Id"] = "<the model ID>", -- ["Id"] = "<the model ID>",
-- ["DisplayName"] = "<user-friendly name of the model>", -- ["DisplayName"] = "<user-friendly name of the model>",
@ -86,6 +96,10 @@ CONFIG["TRANSCRIPTION_PROVIDERS"] = {}
-- -- Allowed values for Host are: LM_STUDIO, LLAMACPP, OLLAMA, VLLM, and WHISPER_CPP -- -- Allowed values for Host are: LM_STUDIO, LLAMACPP, OLLAMA, VLLM, and WHISPER_CPP
-- ["Host"] = "WHISPER_CPP", -- ["Host"] = "WHISPER_CPP",
-- ["Hostname"] = "<https address of the server>", -- ["Hostname"] = "<https address of the server>",
--
-- -- Optional: Encrypted API key (see LLM_PROVIDERS example for details)
-- -- ["APIKey"] = "ENC:v1:<base64-encoded encrypted data>",
--
-- ["Model"] = { -- ["Model"] = {
-- ["Id"] = "<the model ID>", -- ["Id"] = "<the model ID>",
-- ["DisplayName"] = "<user-friendly name of the model>", -- ["DisplayName"] = "<user-friendly name of the model>",
@ -104,6 +118,10 @@ CONFIG["EMBEDDING_PROVIDERS"] = {}
-- -- Allowed values for Host are: LM_STUDIO, LLAMACPP, OLLAMA, and VLLM -- -- Allowed values for Host are: LM_STUDIO, LLAMACPP, OLLAMA, and VLLM
-- ["Host"] = "OLLAMA", -- ["Host"] = "OLLAMA",
-- ["Hostname"] = "<https address of the server>", -- ["Hostname"] = "<https address of the server>",
--
-- -- Optional: Encrypted API key (see LLM_PROVIDERS example for details)
-- -- ["APIKey"] = "ENC:v1:<base64-encoded encrypted data>",
--
-- ["Model"] = { -- ["Model"] = {
-- ["Id"] = "<the model ID, e.g., nomic-embed-text>", -- ["Id"] = "<the model ID, e.g., nomic-embed-text>",
-- ["DisplayName"] = "<user-friendly name of the model>", -- ["DisplayName"] = "<user-friendly name of the model>",

44
app/MindWork AI Studio/Settings/EmbeddingProvider.cs
View File

@ -110,6 +110,34 @@ public sealed record EmbeddingProvider(
Host = host, Host = host,
}; };
// Handle encrypted API key if present:
if (table.TryGetValue("APIKey", out var apiKeyValue) && apiKeyValue.TryRead<string>(out var apiKeyText) && !string.IsNullOrWhiteSpace(apiKeyText))
{
if (!EnterpriseEncryption.IsEncrypted(apiKeyText))
LOGGER.LogWarning($"The configured embedding provider {idx} contains a plaintext API key. Only encrypted API keys (starting with 'ENC:v1:') are supported.");
else
{
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
if (encryption.TryDecrypt(apiKeyText, out var decryptedApiKey))
{
// Queue the API key for storage in the OS keyring:
PendingEnterpriseApiKeys.Add(new(
id.ToString(),
name,
decryptedApiKey,
SecretStoreType.EMBEDDING_PROVIDER));
LOGGER.LogDebug($"Successfully decrypted API key for embedding provider {idx}. It will be stored in the OS keyring.");
}
else
LOGGER.LogWarning($"Failed to decrypt API key for embedding provider {idx}. The encryption secret may be incorrect.");
}
else
LOGGER.LogWarning($"The configured embedding provider {idx} contains an encrypted API key, but no encryption secret is configured.");
}
}
return true; return true;
} }
@ -132,8 +160,21 @@ public sealed record EmbeddingProvider(
return true; return true;
} }
public string ExportAsConfigurationSection() /// <summary>
/// Exports the embedding provider configuration as a Lua configuration section.
/// </summary>
/// <param name="encryptedApiKey">Optional encrypted API key to include in the export.</param>
/// <returns>A Lua configuration section string.</returns>
public string ExportAsConfigurationSection(string? encryptedApiKey = null)
{ {
var apiKeyLine = string.Empty;
if (!string.IsNullOrWhiteSpace(encryptedApiKey))
{
apiKeyLine = $"""
["APIKey"] = "{LuaTools.EscapeLuaString(encryptedApiKey)}",
""";
}
return $$""" return $$"""
CONFIG["EMBEDDING_PROVIDERS"][#CONFIG["EMBEDDING_PROVIDERS"]+1] = { CONFIG["EMBEDDING_PROVIDERS"][#CONFIG["EMBEDDING_PROVIDERS"]+1] = {
["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}", ["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}",
@ -142,6 +183,7 @@ public sealed record EmbeddingProvider(
["Host"] = "{{this.Host}}", ["Host"] = "{{this.Host}}",
["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}", ["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}",
{{apiKeyLine}}
["Model"] = { ["Model"] = {
["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}", ["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}",
["DisplayName"] = "{{LuaTools.EscapeLuaString(this.Model.DisplayName ?? string.Empty)}}", ["DisplayName"] = "{{LuaTools.EscapeLuaString(this.Model.DisplayName ?? string.Empty)}}",

44
app/MindWork AI Studio/Settings/Provider.cs
View File

@ -167,6 +167,34 @@ public sealed record Provider(
AdditionalJsonApiParameters = additionalJsonApiParameters, AdditionalJsonApiParameters = additionalJsonApiParameters,
}; };
// Handle encrypted API key if present:
if (table.TryGetValue("APIKey", out var apiKeyValue) && apiKeyValue.TryRead<string>(out var apiKeyText) && !string.IsNullOrWhiteSpace(apiKeyText))
{
if (!EnterpriseEncryption.IsEncrypted(apiKeyText))
LOGGER.LogWarning($"The configured provider {idx} contains a plaintext API key. Only encrypted API keys (starting with 'ENC:v1:') are supported.");
else
{
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
if (encryption.TryDecrypt(apiKeyText, out var decryptedApiKey))
{
// Queue the API key for storage in the OS keyring:
PendingEnterpriseApiKeys.Add(new(
id.ToString(),
instanceName,
decryptedApiKey,
SecretStoreType.LLM_PROVIDER));
LOGGER.LogDebug($"Successfully decrypted API key for provider {idx}. It will be stored in the OS keyring.");
}
else
LOGGER.LogWarning($"Failed to decrypt API key for provider {idx}. The encryption secret may be incorrect.");
}
else
LOGGER.LogWarning($"The configured provider {idx} contains an encrypted API key, but no encryption secret is configured.");
}
}
return true; return true;
} }
@ -189,7 +217,12 @@ public sealed record Provider(
return true; return true;
} }
public string ExportAsConfigurationSection() /// <summary>
/// Exports the provider configuration as a Lua configuration section.
/// </summary>
/// <param name="encryptedApiKey">Optional encrypted API key to include in the export.</param>
/// <returns>A Lua configuration section string.</returns>
public string ExportAsConfigurationSection(string? encryptedApiKey = null)
{ {
var hfInferenceProviderLine = string.Empty; var hfInferenceProviderLine = string.Empty;
if (this.HFInferenceProvider is not HFInferenceProvider.NONE) if (this.HFInferenceProvider is not HFInferenceProvider.NONE)
@ -199,6 +232,14 @@ public sealed record Provider(
"""; """;
} }
var apiKeyLine = string.Empty;
if (!string.IsNullOrWhiteSpace(encryptedApiKey))
{
apiKeyLine = $"""
["APIKey"] = "{LuaTools.EscapeLuaString(encryptedApiKey)}",
""";
}
return $$""" return $$"""
CONFIG["LLM_PROVIDERS"][#CONFIG["LLM_PROVIDERS"]+1] = { CONFIG["LLM_PROVIDERS"][#CONFIG["LLM_PROVIDERS"]+1] = {
["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}", ["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}",
@ -208,6 +249,7 @@ public sealed record Provider(
["Host"] = "{{this.Host}}", ["Host"] = "{{this.Host}}",
["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}", ["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}",
{{hfInferenceProviderLine}} {{hfInferenceProviderLine}}
{{apiKeyLine}}
["AdditionalJsonApiParameters"] = "{{LuaTools.EscapeLuaString(this.AdditionalJsonApiParameters)}}", ["AdditionalJsonApiParameters"] = "{{LuaTools.EscapeLuaString(this.AdditionalJsonApiParameters)}}",
["Model"] = { ["Model"] = {
["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}", ["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}",

44
app/MindWork AI Studio/Settings/TranscriptionProvider.cs
View File

@ -110,6 +110,34 @@ public sealed record TranscriptionProvider(
Host = host, Host = host,
}; };
// Handle encrypted API key if present:
if (table.TryGetValue("APIKey", out var apiKeyValue) && apiKeyValue.TryRead<string>(out var apiKeyText) && !string.IsNullOrWhiteSpace(apiKeyText))
{
if (!EnterpriseEncryption.IsEncrypted(apiKeyText))
LOGGER.LogWarning($"The configured transcription provider {idx} contains a plaintext API key. Only encrypted API keys (starting with 'ENC:v1:') are supported.");
else
{
var encryption = PluginFactory.EnterpriseEncryption;
if (encryption?.IsAvailable == true)
{
if (encryption.TryDecrypt(apiKeyText, out var decryptedApiKey))
{
// Queue the API key for storage in the OS keyring:
PendingEnterpriseApiKeys.Add(new(
id.ToString(),
name,
decryptedApiKey,
SecretStoreType.TRANSCRIPTION_PROVIDER));
LOGGER.LogDebug($"Successfully decrypted API key for transcription provider {idx}. It will be stored in the OS keyring.");
}
else
LOGGER.LogWarning($"Failed to decrypt API key for transcription provider {idx}. The encryption secret may be incorrect.");
}
else
LOGGER.LogWarning($"The configured transcription provider {idx} contains an encrypted API key, but no encryption secret is configured.");
}
}
return true; return true;
} }
@ -132,8 +160,21 @@ public sealed record TranscriptionProvider(
return true; return true;
} }
public string ExportAsConfigurationSection() /// <summary>
/// Exports the transcription provider configuration as a Lua configuration section.
/// </summary>
/// <param name="encryptedApiKey">Optional encrypted API key to include in the export.</param>
/// <returns>A Lua configuration section string.</returns>
public string ExportAsConfigurationSection(string? encryptedApiKey = null)
{ {
var apiKeyLine = string.Empty;
if (!string.IsNullOrWhiteSpace(encryptedApiKey))
{
apiKeyLine = $"""
["APIKey"] = "{LuaTools.EscapeLuaString(encryptedApiKey)}",
""";
}
return $$""" return $$"""
CONFIG["TRANSCRIPTION_PROVIDERS"][#CONFIG["TRANSCRIPTION_PROVIDERS"]+1] = { CONFIG["TRANSCRIPTION_PROVIDERS"][#CONFIG["TRANSCRIPTION_PROVIDERS"]+1] = {
["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}", ["Id"] = "{{LuaTools.EscapeLuaString(NormalizeId(this.Id))}}",
@ -142,6 +183,7 @@ public sealed record TranscriptionProvider(
["Host"] = "{{this.Host}}", ["Host"] = "{{this.Host}}",
["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}", ["Hostname"] = "{{LuaTools.EscapeLuaString(this.Hostname)}}",
{{apiKeyLine}}
["Model"] = { ["Model"] = {
["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}", ["Id"] = "{{LuaTools.EscapeLuaString(this.Model.Id)}}",
["DisplayName"] = "{{LuaTools.EscapeLuaString(this.Model.DisplayName ?? string.Empty)}}", ["DisplayName"] = "{{LuaTools.EscapeLuaString(this.Model.DisplayName ?? string.Empty)}}",

211
app/MindWork AI Studio/Tools/EnterpriseEncryption.cs Normal file
View File

@ -0,0 +1,211 @@
using System.Security.Cryptography;
using System.Text;
namespace AIStudio.Tools;
/// <summary>
/// Provides encryption and decryption functionality for enterprise configuration plugins.
/// This is used to encrypt/decrypt API keys in Lua configuration files.
/// </summary>
/// <remarks>
/// Important: This is obfuscation, not security. Users with administrative access
/// to their machines can potentially extract the decrypted API keys. This feature
/// is designed to prevent casual exposure of API keys in configuration files. It
/// also protects against accidental leaks while sharing configuration snippets,
/// as the encrypted values cannot be decrypted without the secret key.
/// </remarks>
public sealed class EnterpriseEncryption
{
/// <summary>
/// The number of iterations to derive the key and IV from the password.
/// We use a higher iteration count here because the secret is static
/// (not regenerated each startup like the IPC encryption).
/// </summary>
private const int ITERATIONS = 10_000;
/// <summary>
/// The length of the salt in bytes.
/// </summary>
private const int SALT_LENGTH = 16;
/// <summary>
/// The prefix for encrypted values.
/// </summary>
private const string PREFIX = "ENC:v1:";
private readonly ILogger<EnterpriseEncryption> logger;
private readonly byte[]? secretKey;
/// <summary>
/// Gets a value indicating whether the encryption service is available.
/// </summary>
public bool IsAvailable { get; }
/// <summary>
/// Creates a new instance of the enterprise encryption service.
/// </summary>
/// <param name="logger">The logger instance.</param>
/// <param name="base64Secret">The base64-encoded 32-byte encryption secret.</param>
public EnterpriseEncryption(ILogger<EnterpriseEncryption> logger, string? base64Secret)
{
this.logger = logger;
if (string.IsNullOrWhiteSpace(base64Secret))
{
this.logger.LogWarning("No enterprise encryption secret configured. Encrypted API keys in configuration plugins will not be available.");
this.IsAvailable = false;
return;
}
try
{
this.secretKey = Convert.FromBase64String(base64Secret);
if (this.secretKey.Length != 32)
{
this.logger.LogWarning($"The enterprise encryption secret must be exactly 32 bytes (256 bits). Got {this.secretKey.Length} bytes.");
this.secretKey = null;
this.IsAvailable = false;
return;
}
this.IsAvailable = true;
this.logger.LogInformation("Enterprise encryption service initialized successfully.");
}
catch (FormatException ex)
{
this.logger.LogWarning(ex, "Failed to decode the enterprise encryption secret from base64.");
this.IsAvailable = false;
}
}
/// <summary>
/// Checks if the given value is encrypted (has the encryption prefix).
/// </summary>
/// <param name="value">The value to check.</param>
/// <returns>True if the value starts with the encryption prefix; otherwise, false.</returns>
public static bool IsEncrypted(string? value) => value?.StartsWith(PREFIX, StringComparison.Ordinal) ?? false;
/// <summary>
/// Tries to decrypt an encrypted value.
/// </summary>
/// <param name="encryptedValue">The encrypted value (with ENC:v1: prefix).</param>
/// <param name="decryptedValue">When successful, contains the decrypted plaintext.</param>
/// <returns>True if decryption was successful; otherwise, false.</returns>
public bool TryDecrypt(string encryptedValue, out string decryptedValue)
{
decryptedValue = string.Empty;
if (!this.IsAvailable)
{
this.logger.LogWarning("Cannot decrypt: Enterprise encryption service is not available.");
return false;
}
if (!IsEncrypted(encryptedValue))
{
this.logger.LogWarning("Cannot decrypt: Value does not have the expected encryption prefix.");
return false;
}
try
{
// Extract the base64-encoded data after the prefix:
var base64Data = encryptedValue[PREFIX.Length..];
var encryptedBytes = Convert.FromBase64String(base64Data);
if (encryptedBytes.Length < SALT_LENGTH + 1)
{
this.logger.LogWarning("Cannot decrypt: Encrypted data is too short.");
return false;
}
// Extract salt and encrypted content:
var salt = encryptedBytes[..SALT_LENGTH];
var cipherText = encryptedBytes[SALT_LENGTH..];
// Derive key and IV using PBKDF2:
using var keyDerivation = new Rfc2898DeriveBytes(this.secretKey!, salt, ITERATIONS, HashAlgorithmName.SHA512);
var key = keyDerivation.GetBytes(32); // AES-256
var iv = keyDerivation.GetBytes(16); // AES block size
// Decrypt using AES-256-CBC:
using var aes = Aes.Create();
aes.Key = key;
aes.IV = iv;
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
using var decryptor = aes.CreateDecryptor();
var decryptedBytes = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
decryptedValue = Encoding.UTF8.GetString(decryptedBytes);
return true;
}
catch (FormatException ex)
{
this.logger.LogWarning(ex, "Failed to decode encrypted value from base64.");
return false;
}
catch (CryptographicException ex)
{
this.logger.LogWarning(ex, "Failed to decrypt value. The encryption secret may be incorrect.");
return false;
}
}
/// <summary>
/// Encrypts a plaintext value.
/// </summary>
/// <param name="plaintext">The plaintext to encrypt.</param>
/// <param name="encryptedValue">When successful, contains the encrypted value with prefix.</param>
/// <returns>True if encryption was successful; otherwise, false.</returns>
public bool TryEncrypt(string plaintext, out string encryptedValue)
{
encryptedValue = string.Empty;
if (!this.IsAvailable)
{
this.logger.LogWarning("Cannot encrypt: Enterprise encryption service is not available.");
return false;
}
try
{
// Generate a random salt:
var salt = RandomNumberGenerator.GetBytes(SALT_LENGTH);
// Derive key and IV using PBKDF2:
using var keyDerivation = new Rfc2898DeriveBytes(this.secretKey!, salt, ITERATIONS, HashAlgorithmName.SHA512);
var key = keyDerivation.GetBytes(32); // AES-256
var iv = keyDerivation.GetBytes(16); // AES block size
// Encrypt using AES-256-CBC:
using var aes = Aes.Create();
aes.Key = key;
aes.IV = iv;
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
using var encryptor = aes.CreateEncryptor();
var plaintextBytes = Encoding.UTF8.GetBytes(plaintext);
var cipherText = encryptor.TransformFinalBlock(plaintextBytes, 0, plaintextBytes.Length);
// Combine salt and ciphertext
var combined = new byte[SALT_LENGTH + cipherText.Length];
Array.Copy(salt, 0, combined, 0, SALT_LENGTH);
Array.Copy(cipherText, 0, combined, SALT_LENGTH, cipherText.Length);
// Encode to base64 and add the prefix:
encryptedValue = PREFIX + Convert.ToBase64String(combined);
return true;
}
catch (CryptographicException ex)
{
this.logger.LogWarning(ex, "Failed to encrypt value.");
return false;
}
}
/// <summary>
/// Generates a new random 32-byte secret key and returns it as a base64 string.
/// </summary>
/// <returns>A base64-encoded 32-byte secret key.</returns>
public static string GenerateSecret() => Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
}

49
app/MindWork AI Studio/Tools/PluginSystem/PendingEnterpriseApiKey.cs Normal file
View File

@ -0,0 +1,49 @@
namespace AIStudio.Tools.PluginSystem;
/// <summary>
/// Represents a pending API key that needs to be stored in the OS keyring.
/// This is used during plugin loading to collect API keys from configuration plugins
/// before storing them asynchronously.
/// </summary>
/// <param name="SecretId">The secret ID (provider ID).</param>
/// <param name="SecretName">The secret name (provider instance name).</param>
/// <param name="ApiKey">The decrypted API key.</param>
/// <param name="StoreType">The type of secret store to use.</param>
public sealed record PendingEnterpriseApiKey(
string SecretId,
string SecretName,
string ApiKey,
SecretStoreType StoreType);
/// <summary>
/// Static container for pending API keys during plugin loading.
/// </summary>
public static class PendingEnterpriseApiKeys
{
private static readonly List<PendingEnterpriseApiKey> PENDING_KEYS = [];
private static readonly Lock LOCK = new();
/// <summary>
/// Adds a pending API key to the list.
/// </summary>
/// <param name="key">The pending API key to add.</param>
public static void Add(PendingEnterpriseApiKey key)
{
lock (LOCK)
PENDING_KEYS.Add(key);
}
/// <summary>
/// Gets and clears all pending API keys.
/// </summary>
/// <returns>A list of all pending API keys.</returns>
public static IReadOnlyList<PendingEnterpriseApiKey> GetAndClear()
{
lock (LOCK)
{
var keys = PENDING_KEYS.ToList();
PENDING_KEYS.Clear();
return keys;
}
}
}

41
app/MindWork AI Studio/Tools/PluginSystem/PluginConfiguration.cs
View File

@ -1,4 +1,5 @@
using AIStudio.Settings; using AIStudio.Settings;
using AIStudio.Tools.Services;
using Lua; using Lua;
@ -8,6 +9,7 @@ public sealed class PluginConfiguration(bool isInternal, LuaState state, PluginT
{ {
private static string TB(string fallbackEN) => I18N.I.T(fallbackEN, typeof(PluginConfiguration).Namespace, nameof(PluginConfiguration)); private static string TB(string fallbackEN) => I18N.I.T(fallbackEN, typeof(PluginConfiguration).Namespace, nameof(PluginConfiguration));
private static readonly SettingsManager SETTINGS_MANAGER = Program.SERVICE_PROVIDER.GetRequiredService<SettingsManager>(); private static readonly SettingsManager SETTINGS_MANAGER = Program.SERVICE_PROVIDER.GetRequiredService<SettingsManager>();
private static readonly ILogger LOG = Program.LOGGER_FACTORY.CreateLogger(nameof(PluginConfiguration));
private List<PluginConfigurationObject> configObjects = []; private List<PluginConfigurationObject> configObjects = [];
@ -23,11 +25,50 @@ public sealed class PluginConfiguration(bool isInternal, LuaState state, PluginT
if (!dryRun) if (!dryRun)
{ {
// Store any decrypted API keys from enterprise configuration in the OS keyring:
await StoreEnterpriseApiKeysAsync();
await SETTINGS_MANAGER.StoreSettings(); await SETTINGS_MANAGER.StoreSettings();
await MessageBus.INSTANCE.SendMessage<bool>(null, Event.CONFIGURATION_CHANGED); await MessageBus.INSTANCE.SendMessage<bool>(null, Event.CONFIGURATION_CHANGED);
} }
} }
/// <summary>
/// Stores any pending enterprise API keys in the OS keyring.
/// </summary>
private static async Task StoreEnterpriseApiKeysAsync()
{
var pendingKeys = PendingEnterpriseApiKeys.GetAndClear();
if (pendingKeys.Count == 0)
return;
LOG.LogInformation($"Storing {pendingKeys.Count} enterprise API key(s) in the OS keyring.");
var rustService = Program.SERVICE_PROVIDER.GetRequiredService<RustService>();
foreach (var pendingKey in pendingKeys)
{
try
{
// Create a temporary secret ID object for storing the key:
var secretId = new TemporarySecretId(pendingKey.SecretId, pendingKey.SecretName);
var result = await rustService.SetAPIKey(secretId, pendingKey.ApiKey, pendingKey.StoreType);
if (result.Success)
LOG.LogDebug($"Successfully stored enterprise API key for '{pendingKey.SecretName}' in the OS keyring.");
else
LOG.LogWarning($"Failed to store enterprise API key for '{pendingKey.SecretName}': {result.Issue}");
}
catch (Exception ex)
{
LOG.LogError(ex, $"Exception while storing enterprise API key for '{pendingKey.SecretName}'.");
}
}
}
/// <summary>
/// Temporary implementation of ISecretId for storing enterprise API keys.
/// </summary>
private sealed record TemporarySecretId(string SecretId, string SecretName) : ISecretId;
/// <summary> /// <summary>
/// Tries to initialize the UI text content of the plugin. /// Tries to initialize the UI text content of the plugin.
/// </summary> /// </summary>

23
app/MindWork AI Studio/Tools/PluginSystem/PluginFactory.cs
View File

@ -18,6 +18,29 @@ public static partial class PluginFactory
public static ILanguagePlugin BaseLanguage => BASE_LANGUAGE_PLUGIN; public static ILanguagePlugin BaseLanguage => BASE_LANGUAGE_PLUGIN;
/// <summary>
/// Gets the enterprise encryption instance for decrypting API keys in configuration plugins.
/// </summary>
public static EnterpriseEncryption? EnterpriseEncryption { get; private set; }
/// <summary>
/// Initializes the enterprise encryption service by reading the encryption secret
/// from the Windows Registry or environment variables.
/// </summary>
/// <param name="rustService">The Rust service to use for reading the encryption secret.</param>
public static async Task InitializeEnterpriseEncryption(Services.RustService rustService)
{
LOG.LogInformation("Initializing enterprise encryption service...");
var encryptionSecret = await rustService.EnterpriseEnvConfigEncryptionSecret();
var enterpriseEncryptionLogger = Program.LOGGER_FACTORY.CreateLogger<EnterpriseEncryption>();
EnterpriseEncryption = new EnterpriseEncryption(enterpriseEncryptionLogger, encryptionSecret);
if (EnterpriseEncryption.IsAvailable)
LOG.LogInformation("Enterprise encryption service is available.");
else
LOG.LogWarning("Enterprise encryption service is not available (no secret configured).");
}
/// <summary> /// <summary>
/// Set up the plugin factory. We will read the data directory from the settings manager. /// Set up the plugin factory. We will read the data directory from the settings manager.
/// Afterward, we will create the plugins directory and the internal plugin directory. /// Afterward, we will create the plugins directory and the internal plugin directory.

20
app/MindWork AI Studio/Tools/Services/RustService.Enterprise.cs
View File

@ -65,4 +65,24 @@ public sealed partial class RustService
var serverUrl = await result.Content.ReadAsStringAsync(); var serverUrl = await result.Content.ReadAsStringAsync();
return string.IsNullOrWhiteSpace(serverUrl) ? string.Empty : serverUrl; return string.IsNullOrWhiteSpace(serverUrl) ? string.Empty : serverUrl;
} }
/// <summary>
/// Tries to read the enterprise environment for the configuration encryption secret.
/// </summary>
/// <returns>
/// Returns an empty string when the environment is not set or the request fails.
/// Otherwise, the base64-encoded encryption secret.
/// </returns>
public async Task<string> EnterpriseEnvConfigEncryptionSecret()
{
var result = await this.http.GetAsync("/system/enterprise/config/encryption_secret");
if (!result.IsSuccessStatusCode)
{
this.logger!.LogError($"Failed to query the enterprise configuration encryption secret: '{result.StatusCode}'");
return string.Empty;
}
var encryptionSecret = await result.Content.ReadAsStringAsync();
return string.IsNullOrWhiteSpace(encryptionSecret) ? string.Empty : encryptionSecret;
}
} }

2
app/MindWork AI Studio/wwwroot/changelog/v26.2.2.md
View File

@ -1,5 +1,5 @@
# v26.2.2, build 234 (2026-02-xx xx:xx UTC) # v26.2.2, build 234 (2026-02-xx xx:xx UTC)
- Added a vector database (Qdrant) as a building block for our local RAG (retrieval-augmented generation) solution. Thank you very much, Paul (`PaulKoudelka`), for this major contribution. Note that our local RAG implementation remained in preview and has not yet been released; other building blocks are not yet ready. - Added a vector database (Qdrant) as a building block for our local RAG (retrieval-augmented generation) solution. Thank you very much, Paul (`PaulKoudelka`), for this major contribution. Note that our local RAG implementation remained in preview and has not yet been released; other building blocks are not yet ready.
- Added an app setting to enable administration options for IT staff to configure and maintain organization-wide settings. - Added an app setting to enable administration options for IT staff to configure and maintain organization-wide settings.
- Added an option to export all provider types (LLMs, embeddings, transcriptions) for use in a configuration plugin. This feature appears only when administration options are enabled. - Added an option to export all provider types (LLMs, embeddings, transcriptions) so you can use them in a configuration plugin. You'll be asked if you want to export the related API key too. API keys will be encrypted in the export. This feature only shows up when administration options are enabled.
- Improved the document analysis assistant (in beta) by hiding the export functionality by default. Enable the administration options in the app settings to show and use the export functionality. This streamlines the usage for regular users. - Improved the document analysis assistant (in beta) by hiding the export functionality by default. Enable the administration options in the app settings to show and use the export functionality. This streamlines the usage for regular users.

70
documentation/Enterprise IT.md
View File

@ -27,6 +27,8 @@ The following keys and values (registry) and variables are checked and read:
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_server_url` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL`: An HTTP or HTTPS address using an IP address or DNS name. This is the web server from which AI Studio attempts to load the specified configuration as a ZIP file. - Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_server_url` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_SERVER_URL`: An HTTP or HTTPS address using an IP address or DNS name. This is the web server from which AI Studio attempts to load the specified configuration as a ZIP file.
- Key `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT`, value `config_encryption_secret` or variable `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`: A base64-encoded 32-byte encryption key for decrypting API keys in configuration plugins. This is optional and only needed if you want to include encrypted API keys in your configuration.
Let's assume as example that `https://intranet.my-company.com:30100/ai-studio/configuration` is the server address and `9072b77d-ca81-40da-be6a-861da525ef7b` is the configuration ID. AI Studio will derive the following address from this information: `https://intranet.my-company.com:30100/ai-studio/configuration/9072b77d-ca81-40da-be6a-861da525ef7b.zip`. Important: The configuration ID will always be written in lowercase, even if it is configured in uppercase. If `9072B77D-CA81-40DA-BE6A-861DA525EF7B` is configured, the same address will be derived. Your web server must be configured accordingly. Let's assume as example that `https://intranet.my-company.com:30100/ai-studio/configuration` is the server address and `9072b77d-ca81-40da-be6a-861da525ef7b` is the configuration ID. AI Studio will derive the following address from this information: `https://intranet.my-company.com:30100/ai-studio/configuration/9072b77d-ca81-40da-be6a-861da525ef7b.zip`. Important: The configuration ID will always be written in lowercase, even if it is configured in uppercase. If `9072B77D-CA81-40DA-BE6A-861DA525EF7B` is configured, the same address will be derived. Your web server must be configured accordingly.
Finally, AI Studio will send a GET request and download the ZIP file. The ZIP file only contains the files necessary for the configuration. It's normal to include a file for an icon along with the actual configuration plugin. Finally, AI Studio will send a GET request and download the ZIP file. The ZIP file only contains the files necessary for the configuration. It's normal to include a file for an icon along with the actual configuration plugin.
@ -82,14 +84,68 @@ The latest example of an AI Studio configuration via configuration plugin can al
Please note that the icon must be an SVG vector graphic. Raster graphics like PNGs, GIFs, and others arent supported. You can use the sample icon, which looks like a gear. Please note that the icon must be an SVG vector graphic. Raster graphics like PNGs, GIFs, and others arent supported. You can use the sample icon, which looks like a gear.
Currently, you can configure the following things: Currently, you can configure the following things:
- Any number of self-hosted LLM providers (a combination of server and model), but currently only without API keys - Any number of LLM providers (self-hosted or cloud providers with encrypted API keys)
- Any number of transcription providers for voice-to-text functionality
- Any number of embedding providers for RAG
- The update behavior of AI Studio - The update behavior of AI Studio
- Various UI and feature settings (see the example configuration for details)
All other settings can be made by the user themselves. If you need additional settings, feel free to create an issue in our planning repository: https://github.com/MindWorkAI/Planning/issues All other settings can be made by the user themselves. If you need additional settings, feel free to create an issue in our planning repository: https://github.com/MindWorkAI/Planning/issues
In the coming months, we will allow more settings, such as: ## Encrypted API Keys
- Using API keys for providers
- Configuration of embedding providers for RAG You can include encrypted API keys in your configuration plugins for cloud providers (like OpenAI, Anthropic) or secured on-premise models. This feature provides obfuscation to prevent casual exposure of API keys in configuration files.
- Configuration of data sources for RAG
- Configuration of chat templates **Important Security Note:** This is obfuscation, not absolute security. Users with administrative access to their machines can potentially extract the decrypted API keys with sufficient effort. This feature is designed to:
- Configuration of assistant plugins (for example, your own assistants for your company or specific departments) - Prevent API keys from being visible in plaintext in configuration files
- Protect against accidental exposure when sharing or reviewing configurations
- Add a barrier against casual snooping
### Setting Up Encrypted API Keys
1. **Generate an encryption secret:**
You need a 32-byte (256-bit) secret key encoded in base64. You can generate one using:
```powershell
# PowerShell (Windows)
$bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(32)
[Convert]::ToBase64String($bytes)
```
```bash
# Linux/macOS
openssl rand -base64 32
```
2. **Deploy the encryption secret:**
Distribute the secret via Group Policy (Windows Registry) or environment variables:
- Registry: `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\config_encryption_secret`
- Environment: `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`
3. **Export encrypted API keys from AI Studio:**
The easiest way to get encrypted API keys is to use the export function:
- Configure a provider with an API key in AI Studio's settings
- Click the export button for that provider
- If an API key is configured, you'll be asked if you want to include it
- The exported Lua code will contain the encrypted API key in the format `ENC:v1:<base64-encoded data>`
4. **Add encrypted keys to your configuration:**
Copy the exported configuration (including the encrypted API key) into your configuration plugin.
### Example Configuration with Encrypted API Key
```lua
CONFIG["LLM_PROVIDERS"][#CONFIG["LLM_PROVIDERS"]+1] = {
["Id"] = "9072b77d-ca81-40da-be6a-861da525ef7b",
["InstanceName"] = "Corporate OpenAI GPT-4",
["UsedLLMProvider"] = "OPEN_AI",
["Host"] = "NONE",
["Hostname"] = "",
["APIKey"] = "ENC:v1:MTIzNDU2Nzg5MDEyMzQ1NkFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFla...",
["AdditionalJsonApiParameters"] = "",
["Model"] = {
["Id"] = "gpt-4",
["DisplayName"] = "GPT-4",
}
}
```
The API key will be automatically decrypted when the configuration is loaded and stored securely in the operating system's credential store (Windows Credential Manager / macOS Keychain).

24
runtime/src/environment.rs
View File

@ -119,6 +119,30 @@ pub fn read_enterprise_env_config_server_url(_token: APIToken) -> String {
) )
} }
#[get("/system/enterprise/config/encryption_secret")]
pub fn read_enterprise_env_config_encryption_secret(_token: APIToken) -> String {
//
// When we are on a Windows machine, we try to read the enterprise config from
// the Windows registry. In case we can't find the registry key, or we are on a
// macOS or Linux machine, we try to read the enterprise config from the
// environment variables.
//
// The registry key is:
// HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT
//
// In this registry key, we expect the following values:
// - config_encryption_secret
//
// The environment variable is:
// MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET
//
debug!("Trying to read the enterprise environment for the config encryption secret.");
get_enterprise_configuration(
"config_encryption_secret",
"MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET",
)
}
fn get_enterprise_configuration(_reg_value: &str, env_name: &str) -> String { fn get_enterprise_configuration(_reg_value: &str, env_name: &str) -> String {
cfg_if::cfg_if! { cfg_if::cfg_if! {
if #[cfg(target_os = "windows")] { if #[cfg(target_os = "windows")] {

1
runtime/src/runtime_api.rs
View File

@ -85,6 +85,7 @@ pub fn start_runtime_api() {
crate::environment::read_enterprise_env_config_id, crate::environment::read_enterprise_env_config_id,
crate::environment::delete_enterprise_env_config_id, crate::environment::delete_enterprise_env_config_id,
crate::environment::read_enterprise_env_config_server_url, crate::environment::read_enterprise_env_config_server_url,
crate::environment::read_enterprise_env_config_encryption_secret,
crate::file_data::extract_data, crate::file_data::extract_data,
crate::log::get_log_paths, crate::log::get_log_paths,
crate::log::log_event, crate::log::log_event,