Encryption key always written to file even when OS Keyring is available #623
Description
Summary
gws auth login writes the AES-256-GCM encryption key to both the OS Keyring and ~/.config/gws/.encryption_key (or ~/Library/Application Support/gws/.encryption_key on macOS). However, the read path only checks the file — removing the file causes auth to fail even when the key exists in the Keyring.
The README states:
Credentials are encrypted at rest (AES-256-GCM) with the key stored in your OS keyring (or
~/.config/gws/.encryption_keywhenGOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file).
This implies Keyring is the default and file is the fallback. In practice (v0.18.1 via Homebrew on macOS 26.3 arm64), the file is always the primary read path.
Steps to Reproduce
gws auth login— completes successfully, creates.encryption_keyfile- Verify key exists in macOS Keychain (
security find-generic-password -s gws) - Remove
.encryption_keyfile gws auth status— fails with 401, cannot decrypt credentials
Expected Behavior
When GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND is not set to file, gws should read the encryption key from OS Keyring first, falling back to the file only if Keyring is unavailable.
Why This Matters
Storing the encryption key as a plaintext file alongside the encrypted credentials defeats the purpose of encryption — any file-scanning malware that reads both files can decrypt OAuth tokens offline. Keyring/Keychain storage is significantly more secure since it requires OS-level authorization to access.
Environment
- gws v0.18.1 (Homebrew)
- macOS 26.3 (arm64, Apple Silicon)
- Keychain access confirmed working for other apps