Skip to content

docs(actual-budget): manage E2EE password in OpenBao + document manual enable#2476

Merged
devantler merged 1 commit into
mainfrom
claude/actual-budget-e2ee-encryption-docs
Jul 4, 2026
Merged

docs(actual-budget): manage E2EE password in OpenBao + document manual enable#2476
devantler merged 1 commit into
mainfrom
claude/actual-budget-e2ee-encryption-docs

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why: We want Actual Budget's end-to-end encryption managed the same declarative way as everything else. But Actual's E2EE is client-side and password-derived by design — the server never sees the key — so there is no server switch to enable it, and there shouldn't be. The real risk to manage is a lost password: it makes the budget permanently unrecoverable.

What: Declares the E2EE password as a root of trust — seeds an OpenBao path (apps/actual-budget/encryption, create-only placeholder, mirroring the Enable Banking seed) as the durable DR store, and documents the one-time manual "Enable encryption" step in the app README plus a custody entry in the DR crypto-custody doc. Nothing in-cluster consumes the password (only a client can use it); OpenBao is purely the record so it can't be lost.

No behaviour change to the running app — seed + docs only.

…l enable

Actual Budget's end-to-end encryption is a client-side, password-derived
feature: the client derives the key locally and the sync-server never sees the
password or key (that is what makes it end-to-end). There is no ACTUAL_* env or
server endpoint to enable it, so it cannot be turned on declaratively.

What can be declarative — and matters most — is the password of record. Seed an
OpenBao path apps/actual-budget/encryption (create-only placeholder, mirroring
the enablebanking seed) as the durable DR store for the password; nothing
in-cluster reads it back because only a client can use it. Document the one-time
manual enable step in the app README and add the password as a root of trust in
docs/dr/crypto-custody.md, with the lost-password = unrecoverable warning.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds Kubernetes manifests to seed an Actual Budget end-to-end-encryption password placeholder into OpenBao via a create-only PushSecret, and wires these resources into the vault-seed kustomization. Documentation is added/updated in the disaster-recovery crypto-custody guide and a new Actual Budget base README, describing the password's client-side derivation, storage location, custody recommendations, and leak/loss incident handling.

Changes

File Change
`docs/dr/crypto-custody.md` Adds a "roots of trust" table row and a new section on the Actual Budget E2EE password's storage, custody, leak rotation, and loss unrecoverability
`k8s/bases/apps/actual-budget/README.md` New README documenting bank sync credential seeding and E2EE password behavior
`k8s/bases/infrastructure/vault-seed/kustomization.yaml` Adds two new resource entries
`k8s/bases/infrastructure/vault-seed/push-secret-seed-actual-budget-encryption.yaml` New `PushSecret` seeding the placeholder password into OpenBao with `IfNotExists` policy
`k8s/bases/infrastructure/vault-seed/secret-actual-budget-encryption-placeholder.yaml` New `Opaque` Secret containing a plaintext `PLACEHOLDER` password

Sequence Diagram(s)

sequenceDiagram
  participant Kustomization
  participant PlaceholderSecret
  participant PushSecret
  participant OpenBao

  Kustomization->>PlaceholderSecret: include secret-actual-budget-encryption-placeholder.yaml
  Kustomization->>PushSecret: include push-secret-seed-actual-budget-encryption.yaml
  PushSecret->>PlaceholderSecret: read password value
  PushSecret->>OpenBao: push to apps/actual-budget/encryption (IfNotExists)
Loading

Possibly related PRs

  • devantler-tech/platform#2343: Updates OpenBao/Vault ACLs for the same `apps/actual-budget/*` secret paths that this PR's PushSecret writes to.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: managing the Actual Budget E2EE password in OpenBao and documenting manual enablement.
Description check ✅ Passed The description is directly related to the changeset and accurately explains the OpenBao seed, manual enable step, and custody docs.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

@devantler I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler devantler marked this pull request as ready for review July 4, 2026 21:47
@devantler devantler added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit 602a907 Jul 4, 2026
15 checks passed
@devantler devantler deleted the claude/actual-budget-e2ee-encryption-docs branch July 4, 2026 22:24
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant