Harden key-manager storage encryption key by moving to non-extractable IndexedDB CryptoKey

[Copilot]

The key manager encrypted persisted conversation keys but kept the storage encryption key as raw Base64 in localStorage, making full key recovery possible under XSS. This change removes raw key material persistence and stores the key as a non-extractable Web Crypto handle in IndexedDB.

• Storage key persistence hardening

  • KeyManager now loads/stores qryptchat_storage_enc_key via indexedDBManager instead of localStorage.
  • New storage encryption keys are generated with extractable: false so raw bytes are not exportable.
  • Removed exportKey('raw') + Base64 persistence path.

• Legacy key migration

  • On initialization, if a legacy Base64 key exists in localStorage or sessionStorage, it is imported as a non-extractable AES-GCM key and written to IndexedDB.
  • Legacy web-storage entries are deleted after migration to eliminate plaintext key exposure.

• Focused coverage for hardened behavior

  • Added targeted tests for:
    • non-extractable key generation + IndexedDB persistence
    • migration from legacy localStorage
    • migration from legacy sessionStorage

// New key path: non-extractable key handle persisted in IndexedDB
this._storageEncKey = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  false,
  ['encrypt', 'decrypt']
);
await indexedDBManager.set(this.storageEncryptionKeyName, this._storageEncKey);

[github-actions]

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.