On the Rust version of @Filecoin, we're adding a new feature to encrypt the keystore (where we keep crypto wallet keys) before we head into our first security audit.

When the node is started, if the `encrypt_keystore` option is enabled, it prompts the user to enter a passphrase.

Encrypting the keystore isn't strictly necessary to deliver a working node. In fact, neither of the Go implementations offer this functionality.

However, this feature was requested by our potential real world users, as they roll out production Filecoin nodes in the datacenter.

It's difficult to handle their keys securely unless they're encrypted at-rest.

The fact of the matter is this: Encryption is good for security, and therefore, the world.

Once the security audit is finished, we should be about ready to release 1.0. Exciting times!

For the technical readers: the keystore is normally stored as JSON in cleartext, but when encrypted, we omit the JSON extension, and it's encoded as CBOR. Then, we use a sodiumoxide (Rust libsodium FFI) secretbox with a key derived from the Argon2id hash of the passphrase.

We believe this is quite secure. Feel free to let me know if you feel otherwise, though! Security is complex!