enhance(rtc,e2ee): remove frontend.worker.rtc.encrypt

src/main/frontend/worker/rtc/client.cljs

@@ -2,12 +2,12 @@
   "Fns about push local updates"
   (:require [clojure.string :as string]
             [datascript.core :as d]
+            [frontend.common.crypt :as crypt]
             [frontend.common.missionary :as c.m]
             [frontend.worker.flows :as worker-flows]
             [frontend.worker.rtc.branch-graph :as r.branch-graph]
             [frontend.worker.rtc.client-op :as client-op]
             [frontend.worker.rtc.const :as rtc-const]
-            [frontend.worker.rtc.encrypt :as rtc-encrypt]
             [frontend.worker.rtc.exception :as r.ex]
             [frontend.worker.rtc.log-and-state :as rtc-log-and-state]
             [frontend.worker.rtc.malli-schema :as rtc-schema]
@@ -22,7 +22,7 @@
             [tick.core :as tick]))
 
 (defn- task--apply-remote-updates-from-apply-ops
-  [apply-ops-resp graph-uuid repo conn date-formatter add-log-fn]
+  [apply-ops-resp graph-uuid repo conn date-formatter aes-key add-log-fn]
   (m/sp
     (if-let [remote-ex (:ex-data apply-ops-resp)]
       (do (add-log-fn :rtc.log/pull-remote-data (assoc remote-ex :sub-type :pull-remote-data-exception))
@@ -37,7 +37,7 @@
       (do (assert (pos? (:t apply-ops-resp)) apply-ops-resp)
           (m/?
            (r.remote-update/task--apply-remote-update
-            graph-uuid repo conn date-formatter {:type :remote-update :value apply-ops-resp} add-log-fn))))))
+            graph-uuid repo conn date-formatter {:type :remote-update :value apply-ops-resp} aes-key add-log-fn))))))
 
 (defn- new-task--init-request
   [get-ws-create-task graph-uuid major-schema-version repo conn *last-calibrate-t *server-schema-version add-log-fn]
@@ -99,7 +99,7 @@
   see also `ws/get-mws-create`.
   But ensure `init-request` and `calibrate-graph-skeleton` has been sent"
   [get-ws-create-task graph-uuid major-schema-version repo conn date-formatter
-   *last-calibrate-t *online-users *server-schema-version add-log-fn]
+   *last-calibrate-t *online-users *server-schema-version *aes-key add-log-fn]
   (m/sp
     (let [ws (m/? get-ws-create-task)
           sent-3rd-value [graph-uuid major-schema-version repo]
@@ -145,8 +145,9 @@
                          :repo repo
                          :graph-uuid graph-uuid
                          :remote-schema-version max-remote-schema-version}))
+          (assert @*aes-key)
           (m/? (task--apply-remote-updates-from-apply-ops
-                init-request-resp graph-uuid repo conn date-formatter add-log-fn))))
+                init-request-resp graph-uuid repo conn date-formatter @*aes-key add-log-fn))))
       ws)))
 
 (defn- ->pos
@@ -443,7 +444,7 @@
     nil))
 
 (defn- task--encrypt-remote-ops
-  [encrypt-key remote-ops]
+  [aes-key remote-ops]
   (let [encrypt-attr-set (conj rtc-const/encrypt-attr-set :page-name)]
     (m/sp
       (loop [[remote-op & rest-remote-ops] remote-ops
@@ -454,19 +455,19 @@
             (case op-type
               :update-page
               (recur rest-remote-ops
-                     (conj result (c.m/<? (rtc-encrypt/<encrypt-map encrypt-key encrypt-attr-set op-value))))
+                     (conj result (c.m/<? (crypt/<encrypt-map aes-key encrypt-attr-set op-value))))
               :update
               (recur rest-remote-ops
                      (conj result
                            (c.m/<?
-                            (rtc-encrypt/<encrypt-av-coll
-                             encrypt-key rtc-const/encrypt-attr-set (:av-coll op-value)))))
+                            (crypt/<encrypt-av-coll
+                             aes-key rtc-const/encrypt-attr-set (:av-coll op-value)))))
               ;; else
               (recur rest-remote-ops (conj result remote-op)))))))))
 
 (defn new-task--push-local-ops
   "Return a task: push local updates"
-  [repo conn graph-uuid major-schema-version date-formatter get-ws-create-task *remote-profile? add-log-fn]
+  [repo conn graph-uuid major-schema-version date-formatter get-ws-create-task *remote-profile? aes-key add-log-fn]
   (m/sp
     (let [block-ops-map-coll (client-op/get&remove-all-block-ops repo)
           update-kv-value-ops-map-coll (client-op/get&remove-all-update-kv-value-ops repo)
@@ -480,13 +481,11 @@
                       other-remote-ops)]
       (when-let [ops-for-remote (rtc-schema/to-ws-ops-decoder remote-ops)]
         (let [local-tx (client-op/get-local-tx repo)
-              encrypt-key (c.m/<? (rtc-encrypt/<get-encrypt-key repo))
-              _ (assert (some? encrypt-key))
-              encrypted-remote-ops (m/? (task--encrypt-remote-ops encrypt-key ops-for-remote))
+              encrypted-remote-ops (m/? (task--encrypt-remote-ops aes-key ops-for-remote))
               r (try
                   (let [message (cond-> {:action "apply-ops"
                                          :graph-uuid graph-uuid :schema-version (str major-schema-version)
-                                         :ops ops-for-remote :t-before local-tx}
+                                         :ops encrypted-remote-ops :t-before local-tx}
                                   (true? @*remote-profile?) (assoc :profile true))
                         r (m/? (ws-util/send&recv get-ws-create-task message))]
                     (r.throttle/add-rtc-api-call-record! message)
@@ -518,11 +517,11 @@
             (do (assert (pos? (:t r)) r)
                 (m/?
                  (r.remote-update/task--apply-remote-update
-                  graph-uuid repo conn date-formatter {:type :remote-update :value r} add-log-fn))
+                  graph-uuid repo conn date-formatter {:type :remote-update :value r} aes-key add-log-fn))
                 (add-log-fn :rtc.log/push-local-update {:remote-t (:t r)}))))))))
 
 (defn new-task--pull-remote-data
-  [repo conn graph-uuid major-schema-version date-formatter get-ws-create-task add-log-fn]
+  [repo conn graph-uuid major-schema-version date-formatter get-ws-create-task aes-key add-log-fn]
   (m/sp
     (let [local-tx (client-op/get-local-tx repo)
           message {:action "apply-ops"
@@ -530,4 +529,4 @@
                    :ops [] :t-before (or local-tx 1)}
           r (m/? (ws-util/send&recv get-ws-create-task message))]
       (r.throttle/add-rtc-api-call-record! message)
-      (m/? (task--apply-remote-updates-from-apply-ops r graph-uuid repo conn date-formatter add-log-fn)))))
+      (m/? (task--apply-remote-updates-from-apply-ops r graph-uuid repo conn date-formatter aes-key add-log-fn)))))

src/main/frontend/worker/rtc/core.cljs

@@ -10,6 +10,7 @@
             [frontend.worker.rtc.branch-graph :as r.branch-graph]
             [frontend.worker.rtc.client :as r.client]
             [frontend.worker.rtc.client-op :as client-op]
+            [frontend.worker.rtc.crypt :as rtc-crypt]
             [frontend.worker.rtc.db :as rtc-db]
             [frontend.worker.rtc.exception :as r.ex]
             [frontend.worker.rtc.full-upload-download-graph :as r.upload-download]
@@ -188,11 +189,21 @@
       (swap! *graph-uuid->*online-users assoc graph-uuid *online-users)
       *online-users)))
 
+(defn- task--update-*aes-key
+  [get-ws-create-task user-uuid graph-uuid *aes-key]
+  (m/sp
+    (let [aes-key (m/? (rtc-crypt/task--get-aes-key get-ws-create-task user-uuid graph-uuid))]
+      (when (nil? aes-key)
+        (throw (ex-info "not found aes-key" {:type :rtc.exception/not-found-graph-aes-key
+                                             :graph-uuid graph-uuid
+                                             :user-uuid user-uuid})))
+      (reset! *aes-key aes-key))))
+
 (declare new-task--inject-users-info)
 (defn- create-rtc-loop
   "Return a map with [:rtc-state-flow :rtc-loop-task :*rtc-auto-push? :onstarted-task]
   TODO: auto refresh token if needed"
-  [graph-uuid schema-version repo conn date-formatter token
+  [graph-uuid schema-version repo conn date-formatter token user-uuid
    & {:keys [auto-push? debug-ws-url] :or {auto-push? true}}]
   (let [major-schema-version       (db-schema/major-version schema-version)
         ws-url                     (or debug-ws-url (ws-util/get-ws-url token))
@@ -202,15 +213,16 @@
         *online-users              (get-or-create-*online-users graph-uuid)
         *assets-sync-loop-canceler (atom nil)
         *server-schema-version     (atom nil)
+        *aes-key                   (atom nil)
         started-dfv                (m/dfv)
         add-log-fn                 (fn [type message]
                                      (assert (map? message) message)
                                      (rtc-log-and-state/rtc-log type (assoc message :graph-uuid graph-uuid)))
-        {:keys [*current-ws get-ws-create-task]}
+        {:keys [*current-ws] get-ws-create-task0 :get-ws-create-task}
         (gen-get-ws-create-map--memoized ws-url)
         get-ws-create-task (r.client/ensure-register-graph-updates--memoized
-                            get-ws-create-task graph-uuid major-schema-version repo conn date-formatter
-                            *last-calibrate-t *online-users *server-schema-version add-log-fn)
+                            get-ws-create-task0 graph-uuid major-schema-version repo conn date-formatter
+                            *last-calibrate-t *online-users *server-schema-version *aes-key add-log-fn)
         {:keys [assets-sync-loop-task]}
         (r.asset/create-assets-sync-loop repo get-ws-create-task graph-uuid major-schema-version conn *auto-push?)
         mixed-flow                 (create-mixed-flow repo get-ws-create-task *auto-push? *online-users)]
@@ -227,6 +239,7 @@
         (try
           (log/info :rtc :loop-starting)
           ;; init run to open a ws
+          (m/? (task--update-*aes-key get-ws-create-task0 user-uuid graph-uuid *aes-key))
           (m/? get-ws-create-task)
           ;; NOTE: Set dfv after ws connection is established,
           ;; ensuring the ws connection is already up when the cloud-icon turns green.
@@ -242,24 +255,26 @@
 
                (try
                  (m/? (r.remote-update/task--apply-remote-update
-                       graph-uuid repo conn date-formatter event add-log-fn))
+                       graph-uuid repo conn date-formatter event @*aes-key add-log-fn))
                  (catch :default e
                    (if (= ::r.remote-update/need-pull-remote-data (:type (ex-data e)))
                      (m/? (r.client/new-task--pull-remote-data
-                           repo conn graph-uuid major-schema-version date-formatter get-ws-create-task add-log-fn))
+                           repo conn graph-uuid major-schema-version date-formatter get-ws-create-task @*aes-key
+                           add-log-fn))
                      (throw (r.ex/e->ex-info e)))))
 
                :local-update-check
                (m/? (r.client/new-task--push-local-ops
                      repo conn graph-uuid major-schema-version date-formatter
-                     get-ws-create-task *remote-profile? add-log-fn))
+                     get-ws-create-task *remote-profile? @*aes-key add-log-fn))
 
                :online-users-updated
                (reset! *online-users (:online-users (:value event)))
 
                :pull-remote-updates
                (m/? (r.client/new-task--pull-remote-data
-                     repo conn graph-uuid major-schema-version date-formatter get-ws-create-task add-log-fn))
+                     repo conn graph-uuid major-schema-version date-formatter get-ws-create-task @*aes-key
+                     add-log-fn))
 
                :inject-users-info
                (m/? (new-task--inject-users-info token graph-uuid major-schema-version))))
@@ -345,7 +360,7 @@
       (if (instance? ExceptionInfo r)
         r
         (let [{:keys [rtc-state-flow *rtc-auto-push? *rtc-remote-profile? rtc-loop-task *online-users onstarted-task]}
-              (create-rtc-loop graph-uuid schema-version repo conn date-formatter token)
+              (create-rtc-loop graph-uuid schema-version repo conn date-formatter token user-uuid)
               *last-stop-exception (atom nil)
               canceler (c.m/run-task :rtc-loop-task
                          rtc-loop-task

src/main/frontend/worker/rtc/crypt.cljs

@@ -106,7 +106,7 @@
 (defn task--get-user-public-key
   [get-ws-create-task user-uuid]
   (m/sp
-   (:public-key (m/? (task--fetch-user-rsa-key-pair get-ws-create-task user-uuid)))))
+    (:public-key (m/? (task--fetch-user-rsa-key-pair get-ws-create-task user-uuid)))))
 
 (defn task--get-rsa-key-pair
   [get-ws-create-task user-uuid]
@@ -118,6 +118,12 @@
       {:public-key public-key
        :private-key private-key})))
 
+(defn task--get-aes-key
+  [get-ws-create-task user-uuid graph-uuid]
+  (m/sp
+    (let [{:keys [_public-key private-key]} (m/? (task--get-rsa-key-pair get-ws-create-task user-uuid))]
+      (m/? (task--fetch-graph-aes-key get-ws-create-task graph-uuid private-key)))))
+
 (comment
   (do
     (defn- array-buffers-equal?

src/main/frontend/worker/rtc/encrypt.cljs

@@ -1,183 +0,0 @@
-(ns frontend.worker.rtc.encrypt
-  "Deprecated ns.
-  rtc e2ee related"
-  (:require ["/frontend/idbkv" :as idb-keyval]
-            [frontend.common.thread-api :as thread-api :refer [def-thread-api]]
-            [logseq.db :as ldb]
-            [promesa.core :as p]))
-
-(def ^:private encoder (js/TextEncoder.))
-(def ^:private decoder (js/TextDecoder.))
-
-;;; TODO: move frontend.idb to deps/, then we can use it in both frontend and db-worker
-;;; now, I just direct use "/frontend/idbkv" here
-(defonce ^:private store (delay (idb-keyval/newStore "localforage" "keyvaluepairs" 2)))
-
-(defn- <get-item
-  [k]
-  (when (and k @store)
-    (idb-keyval/get k @store)))
-
-(defn- <set-item!
-  [k value]
-  (when (and k @store)
-    (idb-keyval/set k value @store)))
-
-(defn- <remove-item!
-  [k]
-  (idb-keyval/del k @store))
-
-(defn- graph-encrypt-key-idb-key
-  [repo]
-  (assert (some? repo))
-  (str "rtc-encrypt-key###" repo))
-
-(defn <get-encrypt-key
-  [repo]
-  (<get-item (graph-encrypt-key-idb-key repo)))
-
-(defn- <set-encrypt-key!
-  [repo k]
-  (assert (instance? js/CryptoKey k))
-  (<set-item! (graph-encrypt-key-idb-key repo) k))
-
-(comment
-  (defn <remove-encrypt-key!
-    [repo]
-    (<remove-item! (graph-encrypt-key-idb-key repo))))
-
-(defn- array-buffer->base64 [buffer]
-  (let [binary (apply str (map js/String.fromCharCode (js/Uint8Array. buffer)))]
-    (js/btoa binary)))
-
-(defn base64->array-buffer [base64]
-  (let [binary-string (js/atob base64)
-        len (.-length binary-string)
-        bytes' (js/Uint8Array. len)]
-    (dotimes [i len]
-      (aset bytes' i (.charCodeAt binary-string i)))
-    (.-buffer bytes')))
-
-(defn gen-salt
-  []
-  (array-buffer->base64 (js/crypto.getRandomValues (js/Uint8Array. 16))))
-
-(defn <salt+password->key
-  [salt password]
-  (p/let [salt' (cond
-                  (string? salt) (base64->array-buffer salt)
-                  (instance? js/Uint8Array salt) salt
-                  :else (throw (ex-info "invalid salt value" {:value salt})))
-          key-material (js/crypto.subtle.importKey
-                        "raw"
-                        (.encode encoder password)
-                        #js {:name "PBKDF2"}
-                        false
-                        #js ["deriveKey"])]
-    (js/crypto.subtle.deriveKey
-     #js {:name "PBKDF2"
-          :salt salt'
-          :iterations 100000
-          :hash "SHA-256"}
-     key-material
-     #js {:name "AES-GCM" :length 256}
-     false
-     #js ["encrypt" "decrypt"])))
-
-(defn <persist-encrypt-key!
-  [repo salt password]
-  (p/let [encrypt-key (<salt+password->key salt password)
-          encrypt-key' (<get-encrypt-key repo)
-          _ (assert (nil? encrypt-key'))
-          _ (<set-encrypt-key! repo encrypt-key)]
-    nil))
-
-(defn- <encrypt-text
-  [key' plaintext]
-  (p/let [iv (js/crypto.getRandomValues (js/Uint8Array. 12))
-          data (.encode encoder plaintext)
-          encrypted-data (js/crypto.subtle.encrypt
-                          #js {:name "AES-GCM"
-                               :iv iv}
-                          key'
-                          data)]
-    [iv (js/Uint8Array. encrypted-data)]))
-
-(defn- <decrypt-text
-  [key' encrypted-package]
-  (let [[iv ciphertext] encrypted-package]
-    (assert (and (some? iv) (some? ciphertext)))
-    (p/let [decrypted-data (js/crypto.subtle.decrypt
-                            #js {:name "AES-GCM"
-                                 :iv iv}
-                            key'
-                            ciphertext)]
-      (.decode decoder decrypted-data))))
-
-(defn <decrypt-text-if-encrypted
-  "return nil if not a encrypted-package"
-  [key' maybe-encrypted-package]
-  (when (and (vector? maybe-encrypted-package)
-             (<= 2 (count maybe-encrypted-package)))
-    (<decrypt-text key' maybe-encrypted-package)))
-
-(defn <encrypt-map
-  [key' encrypt-attr-set m]
-  (assert (map? m))
-  (reduce
-   (fn [map-p encrypt-attr]
-     (p/let [m map-p]
-       (if-let [v (get m encrypt-attr)]
-         (p/let [v' (p/chain (<encrypt-text key' v) ldb/write-transit-str)]
-           (assoc m encrypt-attr v'))
-         m)))
-   (p/promise m) encrypt-attr-set))
-
-(defn <encrypt-av-coll
-  "see also `rtc-schema/av-schema`"
-  [key' encrypt-attr-set av-coll]
-  (p/all
-   (mapv
-    (fn [[a v & others]]
-      (p/let [v' (if (and (contains? encrypt-attr-set a)
-                          (string? v))
-                   (p/chain (<encrypt-text key' v) ldb/write-transit-str)
-                   v)]
-        (apply conj [a v'] others)))
-    av-coll)))
-
-(defn <decrypt-map
-  [key' encrypt-attr-set m]
-  (assert (map? m))
-  (reduce
-   (fn [map-p encrypt-attr]
-     (p/let [m map-p]
-       (if-let [v (get m encrypt-attr)]
-         (if (string? v)
-           (p/let [v' (<decrypt-text-if-encrypted key' (ldb/read-transit-str v))]
-             (if v'
-               (assoc m encrypt-attr v')
-               m))
-           m)
-         m)))
-   (p/promise m) encrypt-attr-set))
-
-(comment
-  (->
-   (p/let [salt (js/crypto.getRandomValues (js/Uint8Array. 16))
-           range' (range 10 ;; 100000
-                         )
-           start (.getTime (js/Date.))
-           key' (<salt+password->key salt "password")
-           encrypted-package-coll (p/all (map #(<encrypt-text key' "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq") range'))
-           end (.getTime (js/Date.))]
-     ;; (prn :encrypted-package-coll encrypted-package-coll)
-     (println :encrypt-bench (count range') "in" (- end start) "ms")
-     (p/let [start2 (.getTime (js/Date.))
-             xx (p/all (map #(<decrypt-text key' %) encrypted-package-coll))
-             end2 (.getTime (js/Date.))]
-       ;; (prn :xx xx)
-       (println :decrypt-bench (count range') "in" (- end2 start2) "ms")))
-   (p/catch (fn [e]
-              (prn :e e)
-              (def ee e)))))

src/main/frontend/worker/rtc/exception.cljs

@@ -30,7 +30,8 @@ the server will put it to s3 and return its presigned-url to clients."}
   :rtc.exception/fetch-user-rsa-key-pair-error {:doc "Failed to fetch user RSA key pair from server"}
   :rtc.exception/fetch-graph-aes-key-error {:doc "Failed to fetch graph AES key from server"}
   :rtc.exception/upload-user-rsa-key-pair-error {:doc "Failed to upload user RSA key pair to server"}
-  :rtc.exception/not-found-user-rsa-key-pair {:doc "user rsa-key-pair not found"})
+  :rtc.exception/not-found-user-rsa-key-pair {:doc "user rsa-key-pair not found"}
+  :rtc.exception/not-found-graph-aes-key {:doc "graph aes-key not found"})
 
 (def ex-ws-already-disconnected
   (ex-info "websocket conn is already disconnected" {:type :rtc.exception/ws-already-disconnected}))

src/main/frontend/worker/rtc/full_upload_download_graph.cljs

@@ -181,7 +181,8 @@
               (m/? (ws-util/send&recv get-ws-create-task {:action "upload-graph"
                                                           :s3-key key
                                                           :schema-version (str major-schema-version)
-                                                          :graph-name remote-graph-name}))]
+                                                          :graph-name remote-graph-name
+                                                          :encrypted-aes-key encrypted-aes-key}))]
           (if-let [graph-uuid (:graph-uuid upload-resp)]
             (let [schema-version (ldb/get-graph-schema-version @conn)]
               (ldb/transact! conn

src/main/frontend/worker/rtc/malli_schema.cljs

@@ -303,7 +303,8 @@
        [:map
         [:s3-key :string]
         [:graph-name :string]
-        [:schema-version db-schema/major-schema-version-string-schema]]]
+        [:schema-version db-schema/major-schema-version-string-schema]
+        [:encrypted-aes-key {:optional true} :string]]]
       ["branch-graph"
        [:map
         [:s3-key :string]

src/main/frontend/worker/rtc/remote_update.cljs

@@ -4,13 +4,13 @@
             [clojure.set :as set]
             [clojure.string :as string]
             [datascript.core :as d]
+            [frontend.common.crypt :as crypt]
             [frontend.common.missionary :as c.m]
             [frontend.worker-common.util :as worker-util]
             [frontend.worker.handler.page :as worker-page]
             [frontend.worker.rtc.asset :as r.asset]
             [frontend.worker.rtc.client-op :as client-op]
             [frontend.worker.rtc.const :as rtc-const]
-            [frontend.worker.rtc.encrypt :as rtc-encrypt]
             [frontend.worker.rtc.log-and-state :as rtc-log-and-state]
             [frontend.worker.rtc.malli-schema :as rtc-schema]
             [frontend.worker.state :as worker-state]
@@ -604,7 +604,7 @@ so need to pull earlier remote-data from websocket."})
                                                   (dissoc :block/uuid))])))))))
 
 (defn task--decrypt-blocks-in-remote-update-data
-  [encrypt-key encrypt-attr-set remote-update-data]
+  [aes-key encrypt-attr-set remote-update-data]
   (m/sp
     (let [{affected-blocks-map :affected-blocks refed-blocks :refed-blocks} remote-update-data
           affected-blocks-map'
@@ -612,14 +612,14 @@ so need to pull earlier remote-data from websocket."})
                  affected-blocks-map-result {}]
             (if-not block-uuid
               affected-blocks-map-result
-              (let [affected-block' (c.m/<? (rtc-encrypt/<decrypt-map encrypt-key encrypt-attr-set affected-block))]
+              (let [affected-block' (c.m/<? (crypt/<decrypt-map aes-key encrypt-attr-set affected-block))]
                 (recur rest-affected-blocks (assoc affected-blocks-map-result block-uuid affected-block')))))
           refed-blocks'
           (loop [[refed-block & rest-refed-blocks] refed-blocks
                  refed-blocks-result []]
             (if-not refed-block
               refed-blocks-result
-              (let [refed-block' (c.m/<? (rtc-encrypt/<decrypt-map encrypt-key encrypt-attr-set refed-block))]
+              (let [refed-block' (c.m/<? (crypt/<decrypt-map aes-key encrypt-attr-set refed-block))]
                 (recur rest-refed-blocks (conj refed-blocks-result refed-block')))))]
       (assoc remote-update-data
              :affected-blocks affected-blocks-map'
@@ -658,13 +658,12 @@ so need to pull earlier remote-data from websocket."})
 
 (defn task--apply-remote-update
   "Apply remote-update(`remote-update-event`)"
-  [graph-uuid repo conn date-formatter remote-update-event add-log-fn]
+  [graph-uuid repo conn date-formatter remote-update-event aes-key add-log-fn]
   (m/sp
     (when (apply-remote-update-check repo remote-update-event add-log-fn)
       (let [remote-update-data (:value remote-update-event)
-            encrypt-key (c.m/<? (rtc-encrypt/<get-encrypt-key repo))
             remote-update-data (m/? (task--decrypt-blocks-in-remote-update-data
-                                     encrypt-key rtc-const/encrypt-attr-set
+                                     aes-key rtc-const/encrypt-attr-set
                                      remote-update-data))
             remote-t (:t remote-update-data)
             {affected-blocks-map :affected-blocks refed-blocks :refed-blocks} remote-update-data