Workspace Encryption: Confusing workflow

Workspace Encryption in my eyes is one of the most important features of Yaak and I am so glad how well it’s integrated! 👏 🚀

But I had a very hard time actually “trusting” it and getting started with Yaak, because of this confusing workflow:

TL;DR There are too many spots where the encryption key is created!

1. New encryption key is generated when creating workspace with Workspace Encryption: [x] Enable Encryption

2. Another encryption key is generated when enabling encryption on a variable in an environment for the first time.

3. When trying to enable "Directory Sync" on the same directory as initially selected (on workspace creation), it says "Directory is not empty. Do you want to open it instead?". Why am I forced to remove the original yaak.wk_<wkid>.yaml in order to enable Directory Sync??

4. Then I delete the previous yaak.wk_<wkid>.yaml inside that directory and I can open it for Directory Sync

5. Now I have a new yaak.wk_<wkid>.yml in that directory, and it seems to use the 2nd encryption key

@Greg Schier Please let me know if you cannot reproduce or if I didn’t describe the problem in enough detail.

And there are these other glitches/bugs, when opening the workspace on a different Mac / using Directory Sync:

• [Bug] Top-right button "Enter Encryption Key" (on 2nd Mac): When pasting encryption key and pressing Submit button, nothing happens, no validation error, and the key is lost again. Input field only shows Fill out this field. Only works with Enter key, as whenever we loose focus of input field, the value is gone.

• In yaak.wk_<wkid>.yaml the encryptionKeyChallenge is changed when opening the workspace on a different device (and entering the encryption key). That workspace yaml file is stored in Directory Sync. So how should I handle this, adding it to .gitignore - but it's there in the first place, so should preferably be included in the repo / git commit. Should the encryptionKeyChallenge maybe moved to some .env env var which then is in .gitignore? It totally makes sense to have a different challenge on a different device (or maybe replace the challenge by a computed device ID?), but it seems to be stored at the wrong spot. And then, when I revert the changes (the changed encryptionKeyChallenge) and reopen the workspace (even rebooted my Mac in between), decryption still works. So, what's even the point of that challenge?

• When we have response.body.path{...} as variable value (using some value caching with an expiry of x seconds), it's not clear if that variable value should be encrypted or not. Does it really matter (even if the cached value is sensitive information) or not? As anyway, only the function (and not the effective value) is stored in Directory Sync yaak.ev_*.yaml environment settings. Maybe just document this to make clear that cached/computed values from such functions will never end up in Directory Sync yaml configs.