From b9c4ca04f5b59003f7e1732cfc0bc20f423e1a73 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Fri, 2 May 2025 18:48:35 +0200
Subject: [PATCH] allow to encrypt keys in db, add browser-only key generator,
 add hints that private keys are stored on the server (#420)

---
 cmd/wg-portal/main.go                         |   3 +
 docs/documentation/configuration/examples.md  |   1 +
 docs/documentation/configuration/overview.md  |   8 +
 frontend/src/App.vue                          |   3 +
 .../src/components/InterfaceEditModal.vue     |   4 +-
 frontend/src/components/PeerEditModal.vue     |   7 +-
 frontend/src/components/UserPeerEditModal.vue |   7 +-
 frontend/src/lang/translations/de.json        |  25 +-
 frontend/src/lang/translations/en.json        |  25 +-
 frontend/src/router/index.js                  |  12 +-
 frontend/src/views/KeyGeneraterView.vue       | 241 ++++++++++++++++++
 internal/app/gorm_encryption.go               | 201 +++++++++++++++
 internal/config/database.go                   |   3 +
 internal/domain/crypto.go                     |   2 +-
 internal/domain/peer.go                       |   4 +-
 15 files changed, 529 insertions(+), 17 deletions(-)
 create mode 100644 frontend/src/views/KeyGeneraterView.vue
 create mode 100644 internal/app/gorm_encryption.go

diff --git a/cmd/wg-portal/main.go b/cmd/wg-portal/main.go
index 9a24566..456290c 100644
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/go-playground/validator/v10"
 	evbus "github.com/vardius/message-bus"
+	"gorm.io/gorm/schema"
 
 	"github.com/h44z/wg-portal/internal"
 	"github.com/h44z/wg-portal/internal/adapters"
@@ -41,6 +42,8 @@ func main() {
 
 	cfg.LogStartupValues()
 
+	dbEncryptedSerializer := app.NewGormEncryptedStringSerializer(cfg.Database.EncryptionPassphrase)
+	schema.RegisterSerializer("encstr", dbEncryptedSerializer)
 	rawDb, err := adapters.NewDatabase(cfg.Database)
 	internal.AssertNoError(err)
 
diff --git a/docs/documentation/configuration/examples.md b/docs/documentation/configuration/examples.md
index 5912e34..46e7ed1 100644
--- a/docs/documentation/configuration/examples.md
+++ b/docs/documentation/configuration/examples.md
@@ -31,6 +31,7 @@ database:
   debug: true
   type: sqlite
   dsn: data/sqlite.db
+  encryption_passphrase: change-this-s3cr3t-encryption-passphrase
 ```
 
 ## LDAP Authentication and Synchronization
diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md
index a155696..ca75637 100644
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -214,6 +214,8 @@ Additional or more specialized configuration options for logging and interface c
 Configuration for the underlying database used by WireGuard Portal. 
 Supported databases include SQLite, MySQL, Microsoft SQL Server, and Postgres.
 
+If sensitive values (like private keys) should be stored in an encrypted format, set the `encryption_passphrase` option.
+
 ### `debug`
 - **Default:** `false`
 - **Description:** If `true`, logs all database statements (verbose).
@@ -234,6 +236,12 @@ Supported databases include SQLite, MySQL, Microsoft SQL Server, and Postgres.
   user:pass@tcp(1.2.3.4:3306)/dbname?charset=utf8mb4&parseTime=True&loc=Local
   ```
 
+### `encryption_passphrase`
+- **Default:** *(empty)*
+- **Description:** Passphrase for encrypting sensitive values such as private keys in the database. Encryption is only applied if this passphrase is set.
+  **Important:** Once you enable encryption by setting this passphrase, you cannot disable it or change it afterward. 
+  New or updated records will be encrypted; existing data remains in plaintext until it’s next modified.
+
 ---
 
 ## Statistics
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index 6e1aa81..53a4b7c 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -85,6 +85,9 @@ const currentYear = ref(new Date().getFullYear())
           <li v-if="auth.IsAuthenticated && auth.IsAdmin" class="nav-item">
             <RouterLink :to="{ name: 'users' }" class="nav-link">{{ $t('menu.users') }}</RouterLink>
           </li>
+          <li class="nav-item">
+            <RouterLink :to="{ name: 'key-generator' }" class="nav-link">{{ $t('menu.keygen') }}</RouterLink>
+          </li>
         </ul>
 
         <div class="navbar-nav d-flex justify-content-end">
diff --git a/frontend/src/components/InterfaceEditModal.vue b/frontend/src/components/InterfaceEditModal.vue
index 69b2f82..d23b490 100644
--- a/frontend/src/components/InterfaceEditModal.vue
+++ b/frontend/src/components/InterfaceEditModal.vue
@@ -331,11 +331,11 @@ async function del() {
             <legend class="mt-4">{{ $t('modals.interface-edit.header-crypto') }}</legend>
             <div class="form-group">
               <label class="form-label mt-4">{{ $t('modals.interface-edit.private-key.label') }}</label>
-              <input v-model="formData.PrivateKey" class="form-control" :placeholder="$t('modals.interface-edit.private-key.placeholder')" required type="email">
+              <input v-model="formData.PrivateKey" class="form-control" :placeholder="$t('modals.interface-edit.private-key.placeholder')" required type="text">
             </div>
             <div class="form-group">
               <label class="form-label mt-4">{{ $t('modals.interface-edit.public-key.label') }}</label>
-              <input v-model="formData.PublicKey" class="form-control" :placeholder="$t('modals.interface-edit.public-key.placeholder')" required type="email">
+              <input v-model="formData.PublicKey" class="form-control" :placeholder="$t('modals.interface-edit.public-key.placeholder')" required type="text">
             </div>
           </fieldset>
           <fieldset>
diff --git a/frontend/src/components/PeerEditModal.vue b/frontend/src/components/PeerEditModal.vue
index ff9ae68..554de5a 100644
--- a/frontend/src/components/PeerEditModal.vue
+++ b/frontend/src/components/PeerEditModal.vue
@@ -323,17 +323,18 @@ async function del() {
         <legend class="mt-4">{{ $t('modals.peer-edit.header-crypto') }}</legend>
         <div class="form-group" v-if="selectedInterface.Mode === 'server'">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.private-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.private-key.placeholder')" required
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.private-key.placeholder')" required
             v-model="formData.PrivateKey">
+          <small id="privateKeyHelp" class="form-text text-muted">{{ $t('modals.peer-edit.private-key.help') }}</small>
         </div>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.public-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.public-key.placeholder')" required
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.public-key.placeholder')" required
             v-model="formData.PublicKey">
         </div>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.preshared-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.preshared-key.placeholder')"
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.preshared-key.placeholder')"
             v-model="formData.PresharedKey">
         </div>
         <div class="form-group" v-if="formData.Mode === 'client'">
diff --git a/frontend/src/components/UserPeerEditModal.vue b/frontend/src/components/UserPeerEditModal.vue
index 21cd098..7594d7b 100644
--- a/frontend/src/components/UserPeerEditModal.vue
+++ b/frontend/src/components/UserPeerEditModal.vue
@@ -211,17 +211,18 @@ async function del() {
         <legend class="mt-4">{{ $t('modals.peer-edit.header-crypto') }}</legend>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.private-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.private-key.placeholder')" required
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.private-key.placeholder')" required
             v-model="formData.PrivateKey">
+          <small id="privateKeyHelp" class="form-text text-muted">{{ $t('modals.peer-edit.private-key.help') }}</small>
         </div>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.public-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.public-key.placeholder')" required
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.public-key.placeholder')" required
             v-model="formData.PublicKey">
         </div>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.peer-edit.preshared-key.label') }}</label>
-          <input type="email" class="form-control" :placeholder="$t('modals.peer-edit.preshared-key.placeholder')"
+          <input type="text" class="form-control" :placeholder="$t('modals.peer-edit.preshared-key.placeholder')"
             v-model="formData.PresharedKey">
         </div>
       </fieldset>
diff --git a/frontend/src/lang/translations/de.json b/frontend/src/lang/translations/de.json
index 53be17e..6815274 100644
--- a/frontend/src/lang/translations/de.json
+++ b/frontend/src/lang/translations/de.json
@@ -39,7 +39,8 @@
     "profile": "Mein Profil",
     "settings": "Einstellungen",
     "login": "Anmelden",
-    "logout": "Abmelden"
+    "logout": "Abmelden",
+    "keygen": "Schlüsselgenerator"
   },
   "home": {
     "headline": "WireGuard® VPN Portal",
@@ -188,6 +189,25 @@
       "api-link": "API Dokumentation"
     }
   },
+  "keygen": {
+    "headline": "WireGuard Key Generator",
+    "abstract": "Hier können Sie WireGuard Schlüsselpaare generieren. Die Schlüssel werden lokal auf Ihrem Computer generiert und niemals an den Server gesendet.",
+    "headline-keypair": "Neues Schlüsselpaar",
+    "headline-preshared-key": "Neuer Pre-shared Key",
+    "button-generate": "Erzeugen",
+    "private-key": {
+      "label": "Private Key",
+      "placeholder": "Der private Schlüssel"
+    },
+    "public-key": {
+      "label": "Public Key",
+      "placeholder": "Der öffentliche Schlüssel"
+    },
+    "preshared-key": {
+      "label": "Preshared Key",
+      "placeholder": "Der Pre-shared Schlüssel"
+    }
+  },
   "modals": {
     "user-view": {
       "headline": "User Account:",
@@ -420,7 +440,8 @@
       },
       "private-key": {
         "label": "Private Key",
-        "placeholder": "The private key"
+        "placeholder": "The private key",
+        "help": "Der private Schlüssel wird sicher auf dem Server gespeichert. Wenn der Benutzer bereits eine Kopie besitzt, kann dieses Feld entfallen. Der Server funktioniert auch ausschließlich mit dem öffentlichen Schlüssel des Peers."
       },
       "public-key": {
         "label": "Public Key",
diff --git a/frontend/src/lang/translations/en.json b/frontend/src/lang/translations/en.json
index 93e230d..49ef9a8 100644
--- a/frontend/src/lang/translations/en.json
+++ b/frontend/src/lang/translations/en.json
@@ -40,7 +40,8 @@
     "settings": "Settings",
     "audit": "Audit Log",
     "login": "Login",
-    "logout": "Logout"
+    "logout": "Logout",
+    "keygen": "Key Generator"
   },
   "home": {
     "headline": "WireGuard® VPN Portal",
@@ -206,6 +207,25 @@
       "message": "Message"
     }
   },
+  "keygen": {
+    "headline": "WireGuard Key Generator",
+    "abstract": "Generate a new WireGuard keys. The keys are generated in your local browser and are never sent to the server.",
+    "headline-keypair": "New Key Pair",
+    "headline-preshared-key": "New Preshared Key",
+    "button-generate": "Generate",
+    "private-key": {
+        "label": "Private Key",
+        "placeholder": "The private key"
+    },
+    "public-key": {
+        "label": "Public Key",
+        "placeholder": "The public key"
+    },
+    "preshared-key": {
+        "label": "Preshared Key",
+        "placeholder": "The pre-shared key"
+    }
+  },
   "modals": {
     "user-view": {
       "headline": "User Account:",
@@ -439,7 +459,8 @@
       },
       "private-key": {
         "label": "Private Key",
-        "placeholder": "The private key"
+        "placeholder": "The private key",
+        "help": "The private key is stored securely on the server. If the user already holds a copy, you may omit this field. The server still functions exclusively with the peer’s public key."
       },
       "public-key": {
         "label": "Public Key",
diff --git a/frontend/src/router/index.js b/frontend/src/router/index.js
index 1bbc722..ab1eb05 100644
--- a/frontend/src/router/index.js
+++ b/frontend/src/router/index.js
@@ -64,6 +64,14 @@ const router = createRouter({
       // this generates a separate chunk (About.[hash].js) for this route
       // which is lazy-loaded when the route is visited.
       component: () => import('../views/AuditView.vue')
+    },
+    {
+      path: '/key-generator',
+      name: 'key-generator',
+      // route level code-splitting
+      // this generates a separate chunk (About.[hash].js) for this route
+      // which is lazy-loaded when the route is visited.
+      component: () => import('../views/KeyGeneraterView.vue')
     }
   ],
   linkActiveClass: "active",
@@ -114,11 +122,11 @@ router.beforeEach(async (to) => {
   }
 
   // redirect to login page if not logged in and trying to access a restricted page
-  const publicPages = ['/', '/login']
+  const publicPages = ['/', '/login', '/key-generator']
   const authRequired = !publicPages.includes(to.path)
 
   if (authRequired && !auth.IsAuthenticated) {
-    auth.SetReturnUrl(to.fullPath) // store original destination before starting the auth process
+    auth.SetReturnUrl(to.fullPath) // store the original destination before starting the auth process
     return '/login'
   }
 })
diff --git a/frontend/src/views/KeyGeneraterView.vue b/frontend/src/views/KeyGeneraterView.vue
new file mode 100644
index 0000000..511348f
--- /dev/null
+++ b/frontend/src/views/KeyGeneraterView.vue
@@ -0,0 +1,241 @@
+<script setup>
+
+import {ref} from "vue";
+
+const privateKey = ref("")
+const publicKey = ref("")
+const presharedKey = ref("")
+
+// region wireguard.js
+// taken from: https://github.com/WireGuard/wireguard-tools/blob/master/contrib/keygen-html/wireguard.js
+
+function gf(init) {
+  let r = new Float64Array(16);
+  if (init) {
+    for (let i = 0; i < init.length; ++i)
+      r[i] = init[i];
+  }
+  return r;
+}
+
+function pack(o, n) {
+  let b, m = gf(), t = gf();
+  for (let i = 0; i < 16; ++i)
+    t[i] = n[i];
+  carry(t);
+  carry(t);
+  carry(t);
+  for (let j = 0; j < 2; ++j) {
+    m[0] = t[0] - 0xffed;
+    for (let i = 1; i < 15; ++i) {
+      m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1);
+      m[i - 1] &= 0xffff;
+    }
+    m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1);
+    b = (m[15] >> 16) & 1;
+    m[14] &= 0xffff;
+    cswap(t, m, 1 - b);
+  }
+  for (let i = 0; i < 16; ++i) {
+    o[2 * i] = t[i] & 0xff;
+    o[2 * i + 1] = t[i] >> 8;
+  }
+}
+
+function carry(o) {
+  for (let i = 0; i < 16; ++i) {
+    o[(i + 1) % 16] += (i < 15 ? 1 : 38) * Math.floor(o[i] / 65536);
+    o[i] &= 0xffff;
+  }
+}
+
+function cswap(p, q, b) {
+  let t, c = ~(b - 1);
+  for (let i = 0; i < 16; ++i) {
+    t = c & (p[i] ^ q[i]);
+    p[i] ^= t;
+    q[i] ^= t;
+  }
+}
+
+function add(o, a, b) {
+  for (let i = 0; i < 16; ++i)
+    o[i] = (a[i] + b[i]) | 0;
+}
+
+function subtract(o, a, b) {
+  for (let i = 0; i < 16; ++i)
+    o[i] = (a[i] - b[i]) | 0;
+}
+
+function multmod(o, a, b) {
+  let t = new Float64Array(31);
+  for (let i = 0; i < 16; ++i) {
+    for (let j = 0; j < 16; ++j)
+      t[i + j] += a[i] * b[j];
+  }
+  for (let i = 0; i < 15; ++i)
+    t[i] += 38 * t[i + 16];
+  for (let i = 0; i < 16; ++i)
+    o[i] = t[i];
+  carry(o);
+  carry(o);
+}
+
+function invert(o, i) {
+  let c = gf();
+  for (let a = 0; a < 16; ++a)
+    c[a] = i[a];
+  for (let a = 253; a >= 0; --a) {
+    multmod(c, c, c);
+    if (a !== 2 && a !== 4)
+      multmod(c, c, i);
+  }
+  for (let a = 0; a < 16; ++a)
+    o[a] = c[a];
+}
+
+function clamp(z) {
+  z[31] = (z[31] & 127) | 64;
+  z[0] &= 248;
+}
+
+function generatePublicKey(privateKey) {
+  let r, z = new Uint8Array(32);
+  let a = gf([1]),
+      b = gf([9]),
+      c = gf(),
+      d = gf([1]),
+      e = gf(),
+      f = gf(),
+      _121665 = gf([0xdb41, 1]),
+      _9 = gf([9]);
+  for (let i = 0; i < 32; ++i)
+    z[i] = privateKey[i];
+  clamp(z);
+  for (let i = 254; i >= 0; --i) {
+    r = (z[i >>> 3] >>> (i & 7)) & 1;
+    cswap(a, b, r);
+    cswap(c, d, r);
+    add(e, a, c);
+    subtract(a, a, c);
+    add(c, b, d);
+    subtract(b, b, d);
+    multmod(d, e, e);
+    multmod(f, a, a);
+    multmod(a, c, a);
+    multmod(c, b, e);
+    add(e, a, c);
+    subtract(a, a, c);
+    multmod(b, a, a);
+    subtract(c, d, f);
+    multmod(a, c, _121665);
+    add(a, a, d);
+    multmod(c, c, a);
+    multmod(a, d, f);
+    multmod(d, b, _9);
+    multmod(b, e, e);
+    cswap(a, b, r);
+    cswap(c, d, r);
+  }
+  invert(c, c);
+  multmod(a, a, c);
+  pack(z, a);
+  return z;
+}
+
+function generatePresharedKey() {
+  let privateKey = new Uint8Array(32);
+  window.crypto.getRandomValues(privateKey);
+  return privateKey;
+}
+
+function generatePrivateKey() {
+  let privateKey = generatePresharedKey();
+  clamp(privateKey);
+  return privateKey;
+}
+
+function encodeBase64(dest, src) {
+  let input = Uint8Array.from([(src[0] >> 2) & 63, ((src[0] << 4) | (src[1] >> 4)) & 63, ((src[1] << 2) | (src[2] >> 6)) & 63, src[2] & 63]);
+  for (let i = 0; i < 4; ++i)
+    dest[i] = input[i] + 65 +
+        (((25 - input[i]) >> 8) & 6) -
+        (((51 - input[i]) >> 8) & 75) -
+        (((61 - input[i]) >> 8) & 15) +
+        (((62 - input[i]) >> 8) & 3);
+}
+
+function keyToBase64(key) {
+  let i, base64 = new Uint8Array(44);
+  for (i = 0; i < 32 / 3; ++i)
+    encodeBase64(base64.subarray(i * 4), key.subarray(i * 3));
+  encodeBase64(base64.subarray(i * 4), Uint8Array.from([key[i * 3 + 0], key[i * 3 + 1], 0]));
+  base64[43] = 61;
+  return String.fromCharCode.apply(null, base64);
+}
+
+// endregion wireguard.js
+
+function generateNewKeyPair() {
+  const priv = generatePrivateKey();
+  const pub = generatePublicKey(priv);
+  
+  privateKey.value = keyToBase64(priv);
+  publicKey.value = keyToBase64(pub);
+}
+
+function generateNewPresharedKey() {
+  const psk = generatePresharedKey();
+  presharedKey.value = keyToBase64(psk);
+}
+
+</script>
+
+<template>
+  <div class="page-header">
+    <h1>{{ $t('keygen.headline') }}</h1>
+  </div>
+
+  <p class="lead">{{ $t('keygen.abstract') }}</p>
+
+  <div class="mt-4 row">
+    <div class="col-12 col-lg-5">
+      <h1>{{ $t('keygen.headline-keypair') }}</h1>
+      <fieldset>
+        <div class="form-group">
+          <label class="form-label mt-4">{{ $t('keygen.private-key.label') }}</label>
+          <input class="form-control" v-model="privateKey" :placeholder="$t('keygen.private-key.placeholder')" readonly>
+        </div>
+        <div class="form-group">
+          <label class="form-label mt-4">{{ $t('keygen.public-key.label') }}</label>
+          <input class="form-control" v-model="publicKey" :placeholder="$t('keygen.private-key.placeholder')" readonly>
+        </div>
+      </fieldset>
+      <fieldset>
+        <hr class="mt-4">
+        <button class="btn btn-primary mb-4" type="button" @click.prevent="generateNewKeyPair">{{ $t('keygen.button-generate') }}</button>
+      </fieldset>
+    </div>
+    <div class="col-12 col-lg-2 mt-sm-4">
+    </div>
+    <div class="col-12 col-lg-5">
+      <h1>{{ $t('keygen.headline-preshared-key') }}</h1>
+      <fieldset>
+        <div class="form-group">
+          <label class="form-label mt-4">{{ $t('keygen.preshared-key.label') }}</label>
+          <input class="form-control" v-model="presharedKey" :placeholder="$t('keygen.preshared-key.placeholder')" readonly>
+        </div>
+      </fieldset>
+      <fieldset>
+        <hr class="mt-4">
+        <button class="btn btn-primary mb-4" type="button" @click.prevent="generateNewPresharedKey">{{ $t('keygen.button-generate') }}</button>
+      </fieldset>
+    </div>
+  </div>
+
+</template>
+
+<style scoped>
+
+</style>
\ No newline at end of file
diff --git a/internal/app/gorm_encryption.go b/internal/app/gorm_encryption.go
new file mode 100644
index 0000000..cf0271a
--- /dev/null
+++ b/internal/app/gorm_encryption.go
@@ -0,0 +1,201 @@
+package app
+
+import (
+	"bytes"
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"gorm.io/gorm/schema"
+
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+// GormEncryptedStringSerializer is a GORM serializer that encrypts and decrypts string values using AES256.
+// It is used to store sensitive information in the database securely.
+// If the serializer encounters a value that is not a string, it will return an error.
+type GormEncryptedStringSerializer struct {
+	useEncryption bool
+	keyPhrase     string
+	prefix        string
+}
+
+// NewGormEncryptedStringSerializer creates a new GormEncryptedStringSerializer.
+// It needs to be registered with GORM to be used:
+// schema.RegisterSerializer("encstr", gormEncryptedStringSerializerInstance)
+// You can then use it in your model like this:
+//
+//	EncryptedField string `gorm:"serializer:encstr"`
+func NewGormEncryptedStringSerializer(keyPhrase string) GormEncryptedStringSerializer {
+	return GormEncryptedStringSerializer{
+		useEncryption: keyPhrase != "",
+		keyPhrase:     keyPhrase,
+		prefix:        "WG_ENC_",
+	}
+}
+
+// Scan implements the GORM serializer interface. It decrypts the value after reading it from the database.
+func (s GormEncryptedStringSerializer) Scan(
+	ctx context.Context,
+	field *schema.Field,
+	dst reflect.Value,
+	dbValue any,
+) (err error) {
+	var dbStringValue string
+	if dbValue != nil {
+		switch v := dbValue.(type) {
+		case []byte:
+			dbStringValue = string(v)
+		case string:
+			dbStringValue = v
+		default:
+			return fmt.Errorf("unsupported type %T for encrypted field %s", dbValue, field.Name)
+		}
+	}
+
+	if !s.useEncryption {
+		field.ReflectValueOf(ctx, dst).SetString(dbStringValue) // keep the original value
+		return nil
+	}
+
+	if !strings.HasPrefix(dbStringValue, s.prefix) {
+		field.ReflectValueOf(ctx, dst).SetString(dbStringValue) // keep the original value
+		return nil
+	}
+
+	encryptedString := strings.TrimPrefix(dbStringValue, s.prefix)
+	decryptedString, err := DecryptAES256(encryptedString, s.keyPhrase)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt value for field %s: %w", field.Name, err)
+	}
+
+	field.ReflectValueOf(ctx, dst).SetString(decryptedString)
+	return
+}
+
+// Value implements the GORM serializer interface. It encrypts the value before storing it in the database.
+func (s GormEncryptedStringSerializer) Value(
+	_ context.Context,
+	_ *schema.Field,
+	_ reflect.Value,
+	fieldValue any,
+) (any, error) {
+	if fieldValue == nil {
+		return nil, nil
+	}
+
+	if !s.useEncryption {
+		return fieldValue, nil // keep the original value
+	}
+
+	switch v := fieldValue.(type) {
+	case string:
+		if v == "" {
+			return "", nil // empty string, no need to encrypt
+		}
+		encryptedString, err := EncryptAES256(v, s.keyPhrase)
+		if err != nil {
+			return nil, err
+		}
+		return s.prefix + encryptedString, nil
+	case domain.PreSharedKey:
+		if v == "" {
+			return "", nil // empty string, no need to encrypt
+		}
+		encryptedString, err := EncryptAES256(string(v), s.keyPhrase)
+		if err != nil {
+			return nil, err
+		}
+		return s.prefix + encryptedString, nil
+	default:
+		return nil, fmt.Errorf("encryption only supports string values, got %T", fieldValue)
+	}
+}
+
+// EncryptAES256 encrypts the given plaintext with the given key using AES256 in CBC mode with PKCS7 padding
+func EncryptAES256(plaintext, key string) (string, error) {
+	if len(plaintext) == 0 {
+		return "", fmt.Errorf("plaintext must not be empty")
+	}
+	if len(key) == 0 {
+		return "", fmt.Errorf("key must not be empty")
+	}
+	key = trimEncKey(key)
+	iv := key[:aes.BlockSize]
+
+	block, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return "", err
+	}
+
+	plain := []byte(plaintext)
+	plain = pkcs7Padding(plain, aes.BlockSize)
+
+	ciphertext := make([]byte, len(plain))
+
+	mode := cipher.NewCBCEncrypter(block, []byte(iv))
+	mode.CryptBlocks(ciphertext, plain)
+
+	b64String := base64.StdEncoding.EncodeToString(ciphertext)
+
+	return b64String, nil
+}
+
+// DecryptAES256 decrypts the given ciphertext with the given key using AES256 in CBC mode with PKCS7 padding
+func DecryptAES256(encrypted, key string) (string, error) {
+	if len(encrypted) == 0 {
+		return "", fmt.Errorf("ciphertext must not be empty")
+	}
+	if len(key) == 0 {
+		return "", fmt.Errorf("key must not be empty")
+	}
+	key = trimEncKey(key)
+	iv := key[:aes.BlockSize]
+
+	ciphertext, err := base64.StdEncoding.DecodeString(encrypted)
+	if err != nil {
+		return "", err
+	}
+	if len(ciphertext)%aes.BlockSize != 0 {
+		return "", fmt.Errorf("invalid ciphertext length, must be a multiple of %d", aes.BlockSize)
+	}
+
+	block, err := aes.NewCipher([]byte(key))
+	if err != nil {
+		return "", err
+	}
+
+	mode := cipher.NewCBCDecrypter(block, []byte(iv))
+	mode.CryptBlocks(ciphertext, ciphertext)
+
+	ciphertext = pkcs7UnPadding(ciphertext)
+
+	return string(ciphertext), nil
+}
+
+func pkcs7Padding(ciphertext []byte, blockSize int) []byte {
+	padding := blockSize - len(ciphertext)%blockSize
+	padtext := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(ciphertext, padtext...)
+}
+
+func pkcs7UnPadding(src []byte) []byte {
+	length := len(src)
+	unpadding := int(src[length-1])
+	return src[:(length - unpadding)]
+}
+
+func trimEncKey(key string) string {
+	if len(key) > 32 {
+		return key[:32]
+	}
+
+	if len(key) < 32 {
+		key = key + strings.Repeat("0", 32-len(key))
+	}
+	return key
+}
diff --git a/internal/config/database.go b/internal/config/database.go
index a336683..06554a7 100644
--- a/internal/config/database.go
+++ b/internal/config/database.go
@@ -25,4 +25,7 @@ type DatabaseConfig struct {
 	// For SQLite, it is the path to the database file.
 	// For other databases, it is the connection string, see: https://gorm.io/docs/connecting_to_the_database.html
 	DSN string `yaml:"dsn"`
+	// EncryptionPassphrase is the passphrase used to encrypt sensitive data (WireGuard keys) in the database.
+	// If no passphrase is provided, no encryption will be used.
+	EncryptionPassphrase string `yaml:"encryption_passphrase"`
 }
diff --git a/internal/domain/crypto.go b/internal/domain/crypto.go
index 3f7f303..6e65921 100644
--- a/internal/domain/crypto.go
+++ b/internal/domain/crypto.go
@@ -7,7 +7,7 @@ import (
 )
 
 type KeyPair struct {
-	PrivateKey string
+	PrivateKey string `gorm:"serializer:encstr"`
 	PublicKey  string
 }
 
diff --git a/internal/domain/peer.go b/internal/domain/peer.go
index 699301c..4e40a83 100644
--- a/internal/domain/peer.go
+++ b/internal/domain/peer.go
@@ -7,9 +7,9 @@ import (
 	"time"
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"github.com/h44z/wg-portal/internal/config"
 
 	"github.com/h44z/wg-portal/internal"
+	"github.com/h44z/wg-portal/internal/config"
 )
 
 type PeerIdentifier string
@@ -36,7 +36,7 @@ type Peer struct {
 	EndpointPublicKey   ConfigOption[string] `gorm:"embedded;embeddedPrefix:endpoint_pubkey_"` // the endpoint public key
 	AllowedIPsStr       ConfigOption[string] `gorm:"embedded;embeddedPrefix:allowed_ips_str_"` // all allowed ip subnets, comma seperated
 	ExtraAllowedIPsStr  string               // all allowed ip subnets on the server side, comma seperated
-	PresharedKey        PreSharedKey         // the pre-shared Key of the peer
+	PresharedKey        PreSharedKey         `gorm:"serializer:encstr"`                              // the pre-shared Key of the peer
 	PersistentKeepalive ConfigOption[int]    `gorm:"embedded;embeddedPrefix:persistent_keep_alive_"` // the persistent keep-alive interval
 
 	// WG Portal specific