Envelope encryption
Rather than a single static secret, ProBot uses two keys stacked:- A KEK (Key Encryption Key) - a 32-byte symmetric key - lives only in the
PROBOT_KEY_ENCRYPTION_KEYenvironment variable. Never in the database, never in git, never in a DB backup. - A fresh DEK (Data Encryption Key) is generated per bot. The DEK encrypts your LLM key with AES-256-GCM.
- The DEK is itself encrypted (“wrapped”) with the KEK and stored next to the ciphertext.
- At chat time the server loads the ciphertext + wrapped DEK, unwraps the DEK with the KEK, decrypts your key, calls the provider, and discards everything from memory.