feat: add encrypted connection export with credentials (Pro) (#474)

* feat: add encrypted connection export with credentials (Pro)

* fix: remove onDrag that broke list selection and reordering, fix export sheet binding

* fix: address code review — credential injection, Pro gate, decrypt race, passphrase handling

Author: datlechin

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Encrypted connection export with credentials: Pro users can include passwords in exports, protected by AES-256-GCM encryption with a passphrase
 - Connection sharing: export/import connections as `.tablepro` files (#466)
 - Import preview with duplicate detection, warning badges, and per-item resolution
 - "Copy as Import Link" context menu action for sharing via `tablepro://` URLs

TablePro/Core/Services/Export/ConnectionExportCrypto.swift

@@ -0,0 +1,131 @@
+//
+//  ConnectionExportCrypto.swift
+//  TablePro
+//
+//  AES-256-GCM encryption for connection export files with PBKDF2 key derivation.
+//
+
+import CommonCrypto
+import CryptoKit
+import Foundation
+
+enum ConnectionExportCryptoError: LocalizedError {
+    case invalidPassphrase
+    case corruptData
+    case unsupportedVersion(UInt8)
+
+    var errorDescription: String? {
+        switch self {
+        case .invalidPassphrase:
+            return String(localized: "Incorrect passphrase")
+        case .corruptData:
+            return String(localized: "The encrypted file is corrupt or incomplete")
+        case .unsupportedVersion(let v):
+            return String(localized: "Unsupported encryption version \(v)")
+        }
+    }
+}
+
+enum ConnectionExportCrypto {
+    private static let magic = Data("TPRO".utf8) // 4 bytes
+    private static let currentVersion: UInt8 = 1
+    private static let saltLength = 32
+    private static let nonceLength = 12
+    private static let pbkdf2Iterations: UInt32 = 600_000
+    private static let keyLength = 32 // AES-256
+
+    // Header: magic (4) + version (1) + salt (32) + nonce (12) = 49 bytes
+    private static let headerLength = 4 + 1 + saltLength + nonceLength
+
+    static func isEncrypted(_ data: Data) -> Bool {
+        data.count > headerLength && data.prefix(4) == magic
+    }
+
+    static func encrypt(data: Data, passphrase: String) throws -> Data {
+        var salt = Data(count: saltLength)
+        let saltStatus = salt.withUnsafeMutableBytes { buffer -> OSStatus in
+            guard let baseAddress = buffer.baseAddress else { return errSecParam }
+            return SecRandomCopyBytes(kSecRandomDefault, saltLength, baseAddress)
+        }
+        guard saltStatus == errSecSuccess else {
+            throw ConnectionExportCryptoError.corruptData
+        }
+
+        let key = try deriveKey(passphrase: passphrase, salt: salt)
+        let nonce = AES.GCM.Nonce()
+        let sealed = try AES.GCM.seal(data, using: key, nonce: nonce)
+
+        var result = Data()
+        result.append(magic)
+        result.append(currentVersion)
+        result.append(salt)
+        result.append(contentsOf: nonce)
+        result.append(sealed.ciphertext)
+        result.append(sealed.tag)
+        return result
+    }
+
+    static func decrypt(data: Data, passphrase: String) throws -> Data {
+        guard data.count > headerLength else {
+            throw ConnectionExportCryptoError.corruptData
+        }
+        guard data.prefix(4) == magic else {
+            throw ConnectionExportCryptoError.corruptData
+        }
+
+        let version = data[4]
+        guard version <= currentVersion else {
+            throw ConnectionExportCryptoError.unsupportedVersion(version)
+        }
+
+        let salt = data[5 ..< 37]
+        let nonceData = data[37 ..< 49]
+        let ciphertextAndTag = data[49...]
+
+        guard ciphertextAndTag.count > 16 else {
+            throw ConnectionExportCryptoError.corruptData
+        }
+
+        let ciphertext = ciphertextAndTag.dropLast(16)
+        let tag = ciphertextAndTag.suffix(16)
+
+        let key = try deriveKey(passphrase: passphrase, salt: Data(salt))
+        let nonce = try AES.GCM.Nonce(data: nonceData)
+        let sealedBox = try AES.GCM.SealedBox(nonce: nonce, ciphertext: ciphertext, tag: tag)
+
+        do {
+            return try AES.GCM.open(sealedBox, using: key)
+        } catch {
+            throw ConnectionExportCryptoError.invalidPassphrase
+        }
+    }
+
+    private static func deriveKey(passphrase: String, salt: Data) throws -> SymmetricKey {
+        let passphraseData = Data(passphrase.utf8)
+        var derivedKey = Data(count: keyLength)
+
+        let status = derivedKey.withUnsafeMutableBytes { derivedKeyBytes in
+            passphraseData.withUnsafeBytes { passphraseBytes in
+                salt.withUnsafeBytes { saltBytes in
+                    CCKeyDerivationPBKDF(
+                        CCPBKDFAlgorithm(kCCPBKDF2),
+                        passphraseBytes.baseAddress?.assumingMemoryBound(to: Int8.self),
+                        passphraseData.count,
+                        saltBytes.baseAddress?.assumingMemoryBound(to: UInt8.self),
+                        salt.count,
+                        CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256),
+                        pbkdf2Iterations,
+                        derivedKeyBytes.baseAddress?.assumingMemoryBound(to: UInt8.self),
+                        keyLength
+                    )
+                }
+            }
+        }
+
+        guard status == kCCSuccess else {
+            throw ConnectionExportCryptoError.corruptData
+        }
+
+        return SymmetricKey(data: derivedKey)
+    }
+}

TablePro/Core/Services/Export/ConnectionExportService.swift

@@ -16,6 +16,8 @@ enum ConnectionExportError: LocalizedError {
     case invalidFormat
     case unsupportedVersion(Int)
     case decodingFailed(String)
+    case requiresPassphrase
+    case decryptionFailed(String)
 
     var errorDescription: String? {
         switch self {
@@ -31,6 +33,10 @@ enum ConnectionExportError: LocalizedError {
             return String(localized: "This file requires a newer version of TablePro (format version \(version))")
         case .decodingFailed(let detail):
             return String(localized: "Failed to parse connection file: \(detail)")
+        case .requiresPassphrase:
+            return String(localized: "This file is encrypted and requires a passphrase")
+        case .decryptionFailed(let detail):
+            return String(localized: "Decryption failed: \(detail)")
         }
     }
 }
@@ -217,7 +223,8 @@ enum ConnectionExportService {
             appVersion: appVersion,
             connections: exportableConnections,
             groups: exportableGroups,
-            tags: exportableTags
+            tags: exportableTags,
+            credentials: nil
         )
     }
 
@@ -246,6 +253,82 @@ enum ConnectionExportService {
         }
     }
 
+    // MARK: - Encrypted Export
+
+    static func buildEnvelopeWithCredentials(for connections: [DatabaseConnection]) -> ConnectionExportEnvelope {
+        let baseEnvelope = buildEnvelope(for: connections)
+
+        var credentialsMap: [String: ExportableCredentials] = [:]
+        for (index, connection) in connections.enumerated() {
+            let password = ConnectionStorage.shared.loadPassword(for: connection.id)
+            let sshPassword = ConnectionStorage.shared.loadSSHPassword(for: connection.id)
+            let keyPassphrase = ConnectionStorage.shared.loadKeyPassphrase(for: connection.id)
+            let totpSecret = ConnectionStorage.shared.loadTOTPSecret(for: connection.id)
+
+            // Collect plugin-specific secure fields
+            var pluginSecureFields: [String: String]?
+            if let snapshot = PluginMetadataRegistry.shared.snapshot(forTypeId: connection.type.pluginTypeId) {
+                let secureFieldIds = snapshot.connection.additionalConnectionFields
+                    .filter(\.isSecure)
+                    .map(\.id)
+                if !secureFieldIds.isEmpty {
+                    var fields: [String: String] = [:]
+                    for fieldId in secureFieldIds {
+                        if let value = ConnectionStorage.shared.loadPluginSecureField(
+                            fieldId: fieldId,
+                            for: connection.id
+                        ) {
+                            fields[fieldId] = value
+                        }
+                    }
+                    if !fields.isEmpty {
+                        pluginSecureFields = fields
+                    }
+                }
+            }
+
+            let hasAnyCredential = password != nil || sshPassword != nil
+                || keyPassphrase != nil || totpSecret != nil || pluginSecureFields != nil
+
+            if hasAnyCredential {
+                credentialsMap[String(index)] = ExportableCredentials(
+                    password: password,
+                    sshPassword: sshPassword,
+                    keyPassphrase: keyPassphrase,
+                    totpSecret: totpSecret,
+                    pluginSecureFields: pluginSecureFields
+                )
+            }
+        }
+
+        return ConnectionExportEnvelope(
+            formatVersion: baseEnvelope.formatVersion,
+            exportedAt: baseEnvelope.exportedAt,
+            appVersion: baseEnvelope.appVersion,
+            connections: baseEnvelope.connections,
+            groups: baseEnvelope.groups,
+            tags: baseEnvelope.tags,
+            credentials: credentialsMap.isEmpty ? nil : credentialsMap
+        )
+    }
+
+    static func exportConnectionsEncrypted(
+        _ connections: [DatabaseConnection],
+        to url: URL,
+        passphrase: String
+    ) throws {
+        let envelope = buildEnvelopeWithCredentials(for: connections)
+        let jsonData = try encode(envelope)
+        let encryptedData = try ConnectionExportCrypto.encrypt(data: jsonData, passphrase: passphrase)
+
+        do {
+            try encryptedData.write(to: url, options: .atomic)
+            logger.info("Exported \(connections.count) encrypted connections to \(url.path)")
+        } catch {
+            throw ConnectionExportError.fileWriteFailed(url.path)
+        }
+    }
+
     // MARK: - Import
 
     static func decodeFile(at url: URL) throws -> ConnectionExportEnvelope {
@@ -255,9 +338,53 @@ enum ConnectionExportService {
         } catch {
             throw ConnectionExportError.fileReadFailed(url.path)
         }
+
+        if ConnectionExportCrypto.isEncrypted(data) {
+            throw ConnectionExportError.requiresPassphrase
+        }
+
         return try decodeData(data)
     }
 
+    nonisolated static func decodeEncryptedData(_ data: Data, passphrase: String) throws -> ConnectionExportEnvelope {
+        let decryptedData: Data
+        do {
+            decryptedData = try ConnectionExportCrypto.decrypt(data: data, passphrase: passphrase)
+        } catch {
+            throw ConnectionExportError.decryptionFailed(error.localizedDescription)
+        }
+        return try decodeData(decryptedData)
+    }
+
+    static func restoreCredentials(from envelope: ConnectionExportEnvelope, connectionIdMap: [Int: UUID]) {
+        guard let credentials = envelope.credentials else { return }
+
+        for (indexString, creds) in credentials {
+            guard let index = Int(indexString),
+                  let connectionId = connectionIdMap[index] else { continue }
+
+            if let password = creds.password {
+                ConnectionStorage.shared.savePassword(password, for: connectionId)
+            }
+            if let sshPassword = creds.sshPassword {
+                ConnectionStorage.shared.saveSSHPassword(sshPassword, for: connectionId)
+            }
+            if let keyPassphrase = creds.keyPassphrase {
+                ConnectionStorage.shared.saveKeyPassphrase(keyPassphrase, for: connectionId)
+            }
+            if let totpSecret = creds.totpSecret {
+                ConnectionStorage.shared.saveTOTPSecret(totpSecret, for: connectionId)
+            }
+            if let secureFields = creds.pluginSecureFields {
+                for (fieldId, value) in secureFields {
+                    ConnectionStorage.shared.savePluginSecureField(value, fieldId: fieldId, for: connectionId)
+                }
+            }
+        }
+
+        logger.info("Restored credentials for \(credentials.count) connections")
+    }
+
     /// Decode an envelope from raw JSON data. Can be called from any thread.
     nonisolated static func decodeData(_ data: Data) throws -> ConnectionExportEnvelope {
         let decoder = JSONDecoder()
@@ -343,11 +470,16 @@ enum ConnectionExportService {
         return ConnectionImportPreview(envelope: envelope, items: items)
     }
 
+    struct ImportResult {
+        let importedCount: Int
+        let connectionIdMap: [Int: UUID] // envelope index -> new connection UUID
+    }
+
     @discardableResult
     static func performImport(
         _ preview: ConnectionImportPreview,
         resolutions: [UUID: ImportResolution]
-    ) -> Int {
+    ) -> ImportResult {
         // Create missing groups
         let existingGroups = GroupStorage.shared.loadGroups()
         if let envelopeGroups = preview.envelope.groups {
@@ -387,9 +519,17 @@ enum ConnectionExportService {
         }
 
         var importedCount = 0
+        var connectionIdMap: [Int: UUID] = [:]
+
+        // Build a lookup from item.id to envelope index
+        let itemIndexMap: [UUID: Int] = Dictionary(
+            uniqueKeysWithValues: preview.items.enumerated().map { ($1.id, $0) }
+        )
 
         for item in preview.items {
             let resolution = resolutions[item.id] ?? .skip
+            guard let envelopeIndex = itemIndexMap[item.id] else { continue }
+
             switch resolution {
             case .skip:
                 continue
@@ -406,6 +546,7 @@ enum ConnectionExportService {
                     name: name
                 )
                 ConnectionStorage.shared.addConnection(connection, password: nil)
+                connectionIdMap[envelopeIndex] = connectionId
                 importedCount += 1
 
             case .replace(let existingId):
@@ -415,6 +556,7 @@ enum ConnectionExportService {
                     name: item.connection.name
                 )
                 ConnectionStorage.shared.updateConnection(connection, password: nil)
+                connectionIdMap[envelopeIndex] = existingId
                 importedCount += 1
             }
         }
@@ -424,7 +566,7 @@ enum ConnectionExportService {
             logger.info("Imported \(importedCount) connections")
         }
 
-        return importedCount
+        return ImportResult(importedCount: importedCount, connectionIdMap: connectionIdMap)
     }
 
     // MARK: - Deeplink Builder