Bind token encryption key to machine identity

Co-authored-by: Tyrrrz <1935960+Tyrrrz@users.noreply.github.com>
2026-03-22 02:04:35 -05:00 · 2026-02-27 08:42:25 +00:00 · 2026-02-27 08:42:25 +00:00 · 1721ac4e0c
commit 1721ac4e0c
parent f9871115fb
1 changed files with 50 additions and 3 deletions
--- a/DiscordChatExporter.Gui/Services/TokenEncryptionConverter.cs
+++ b/DiscordChatExporter.Gui/Services/TokenEncryptionConverter.cs
@ -1,4 +1,5 @@
 using System;
+using System.IO;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
@ -11,7 +12,53 @@ internal class TokenEncryptionConverter : JsonConverter<string?>
    private const string Prefix = "enc:";
    private const int MaxPaddingLength = 16;

-    private static readonly byte[] Key = "DCE-Token-Key-v1"u8.ToArray();
+    // Key is derived from a machine-specific identifier so that a stolen Settings.dat
+    // cannot be decrypted on a different machine.
+    private static readonly Lazy<byte[]> Key = new(DeriveKey);
+
+    private static byte[] DeriveKey()
+    {
+        var machineId = GetMachineId();
+        return Rfc2898DeriveBytes.Pbkdf2(
+            Encoding.UTF8.GetBytes(machineId),
+            "DCE-Token-Salt"u8.ToArray(),
+            iterations: 10_000,
+            HashAlgorithmName.SHA256,
+            outputLength: 16
+        );
+    }
+
+    private static string GetMachineId()
+    {
+        // Windows: stable GUID written during OS installation
+        if (OperatingSystem.IsWindows())
+        {
+            try
+            {
+                using var regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(
+                    @"SOFTWARE\Microsoft\Cryptography"
+                );
+                if (regKey?.GetValue("MachineGuid") is string guid && guid.Length > 0)
+                    return guid;
+            }
+            catch { }
+        }
+
+        // Linux: /etc/machine-id (set once by systemd at first boot)
+        foreach (var path in new[] { "/etc/machine-id", "/var/lib/dbus/machine-id" })
+        {
+            try
+            {
+                var id = File.ReadAllText(path).Trim();
+                if (id.Length > 0)
+                    return id;
+            }
+            catch { }
+        }
+
+        // Last-resort fallback (e.g. macOS without /etc/machine-id)
+        return Environment.MachineName;
+    }

    public override string? Read(
        ref Utf8JsonReader reader,
@ -29,7 +76,7 @@ internal class TokenEncryptionConverter : JsonConverter<string?>
        {
            var data = Convert.FromBase64String(value[Prefix.Length..]);
            using var aes = Aes.Create();
-            aes.Key = Key;
+            aes.Key = Key.Value;

            // Layout: IV (16 bytes) | padLen (1 byte) | ciphertext
            var decrypted = aes.DecryptCbc(data[17..], data[..16]);
@ -50,7 +97,7 @@ internal class TokenEncryptionConverter : JsonConverter<string?>
        }

        using var aes = Aes.Create();
-        aes.Key = Key;
+        aes.Key = Key.Value;
        aes.GenerateIV(); // Random IV ensures non-deterministic output

        // Random padding bytes vary the output length