Anglerphish, a fork of GoPhish, introduces optional application-layer AES-256-GCM encryption for sensitive database fields including SMTP/IMAP passwords, SMS API keys, and captured phishing simulation data. The implementation uses a versioned encrypted format (ENC:v1:) stored alongside nonces, activated via a single environment variable. Key design decisions include opt-in activation, transparent encryption/decryption via database hooks, graceful failure handling, and full backward compatibility with mixed plaintext/encrypted data. The post covers the design rationale, CLI commands for key generation and migration, and a deployment checklist for persisting keys securely via systemd.
Sort: