Encrypt OpenClaw pairing secrets stored in integration state #54
Description
api/src/services/openclawIntegrationService.js currently stores OpenClaw device secrets (private_key and device_token) in openclaw_integration_state as plaintext. This preserves pairing continuity, but it leaves sensitive credentials unprotected at rest.
We should add application-level encryption for these values before writing them to the database.
Proposed approach
- Add a new API env var for a 32-byte encryption key, for example
OPENCLAW_INTEGRATION_SECRET_KEY - Encrypt
private_keyanddevice_tokenwith authenticated encryption before persisting - Store encrypted payloads in the existing DB columns using a versioned format
- Support backward-compatible reads for legacy plaintext rows during rollout
- Rewrite legacy plaintext values in encrypted form on the next successful update or pairing flow
- Fail closed if encrypted values exist but the encryption key is missing or invalid
Acceptance criteria
- New writes never persist raw device secret material
- Existing paired installs continue working during upgrade
- Encrypted rows can be read back into the current pairing and auth flow
- Missing or invalid key produces a clear operational error
- Docs include the new env var and rollout note
Tests
- Encryption and decryption round-trip
- Legacy plaintext compatibility
- Pairing and finalize paths write encrypted values
- Missing-key behavior for encrypted rows