# Tasks: Add File Encryption

## Backend Tasks

### 1. Create EncryptionKey model
- [x] Create `backend/app/models/encryption_key.py`
- [x] Update `backend/app/models/__init__.py`
- [x] Add `encryption_key_id` FK to Attachment model
- [x] Create Alembic migration
- **驗證**: Migration 成功執行

### 2. Implement encryption service
- [x] Create `backend/app/services/encryption_service.py`
- [x] Add `MASTER_KEY` to config.py (from env var)
- [x] Implement `generate_key()` - 產生新的 AES-256 金鑰
- [x] Implement `encrypt_key()` - 使用 Master Key 加密金鑰
- [x] Implement `decrypt_key()` - 使用 Master Key 解密金鑰
- [x] Implement `encrypt_file()` - 串流式檔案加密 (AES-256-GCM)
- [x] Implement `decrypt_file()` - 串流式檔案解密
- [x] Add unit tests for encryption service
- **驗證**: 加密解密測試通過

### 3. Create encryption key management API
- [x] Create `backend/app/api/admin/encryption_keys.py`
- [x] Implement `GET /api/admin/encryption-keys` - 列出金鑰（不含實際金鑰值）
- [x] Implement `POST /api/admin/encryption-keys` - 建立新金鑰
- [x] Implement `POST /api/admin/encryption-keys/rotate` - 金鑰輪換
- [x] Add system admin only permission check
- [x] Register router in main.py
- **驗證**: API 可正常呼叫

### 4. Integrate encryption with attachment upload
- [x] Modify `backend/app/api/attachments/router.py` upload endpoint
- [x] Check project security_level before upload
- [x] If confidential: encrypt file using encryption service
- [x] Set is_encrypted = True and encryption_key_id
- [x] Store encrypted file to NAS
- **驗證**: 機密專案上傳的檔案為加密狀態

### 5. Integrate decryption with attachment download
- [x] Modify `backend/app/api/attachments/router.py` download endpoint
- [x] Check is_encrypted flag
- [x] If encrypted: decrypt using encryption service before returning
- [x] Maintain streaming for large files
- **驗證**: 下載加密檔案可正確解密

### 6. Add encryption audit logging
- [x] Log encryption operations (encrypt, decrypt, key_create, key_rotate)
- [x] Include key_id, file_id, user_id, timestamp
- **驗證**: 稽核日誌正確記錄加密操作

### 7. Add backend tests
- [x] Test encryption service (encrypt/decrypt)
- [x] Test key management API
- [x] Test attachment upload with encryption
- [x] Test attachment download with decryption
- [x] Test key rotation
- **驗證**: 所有測試通過

## Configuration Tasks

### 8. Environment configuration
- [x] Add `MASTER_KEY` to .env.example
- [x] Document key generation procedure
- [x] Document key backup recommendations
- **驗證**: 文件完整

## Task Dependencies

```
[1] EncryptionKey Model
      ↓
[2] Encryption Service
      ↓
[3] Key Management API ─────┐
      ↓                     │
[4] Upload Integration      │
      ↓                     │
[5] Download Integration    │
      ↓                     │
[6] Audit Logging          │
      ↓                     │
[7] Tests ←─────────────────┘
      ↓
[8] Configuration
```

- Tasks 1-7 為循序依賴
- Task 8 可平行進行