feat: Encrypt secret keys at rest in config.toml

[Nanle-code]

Summary

Secret keys are currently stored in plaintext in ~/.starforge/config.toml.
While this is acceptable for throwaway testnet wallets, it is a security risk
for any wallet holding real value. Encrypting keys at rest with a user-provided
passphrase would significantly improve security.

Task

Add opt-in passphrase-based encryption for secret keys stored in config.toml,
using AES-256-GCM. When a passphrase is set, secret keys are stored encrypted
and decrypted on-demand when needed for signing.

Acceptance Criteria

• starforge wallet create alice --encrypt prompts for a passphrase and stores the key encrypted
• Encrypted keys are stored as base64 ciphertext in config.toml
• starforge wallet show alice --reveal prompts for the passphrase to decrypt and display the key
• If the wrong passphrase is entered, a clear error is shown (no panic)
• Unencrypted wallets continue to work without any change
• The encryption scheme (AES-256-GCM + PBKDF2) is documented in the README

Files Likely Touched

• Cargo.toml — add aes-gcm and pbkdf2 crates
• src/utils/config.rs — add encrypt_key and decrypt_key functions
• src/commands/wallet.rs — add --encrypt flag and passphrase prompts

Notes

Use aes-gcm crate for encryption and pbkdf2 with SHA-256 for key derivation
from the passphrase. Store the salt alongside the ciphertext in config.toml.
Never store the passphrase itself. Prompt securely using the rpassword crate.

[drips-wave]

This issue has been added to the Stellar Wave Program and is worth 200 Points.

🧑‍💻 Interested in contributing? Apply to work on this issue on Drips Wave, earn points, and receive rewards.

Warning

Only applications submitted via the apply link above will be considered. Please do not apply by commenting on the issue or opening a PR directly.

🤠 Repo maintainers: You can manage this issue's Points and Complexity on your Maintainer Dashboard here. Please keep an eye on applications and respond quickly 💙

ℹ️ Learn more about Drips Wave

[Jayy4rl]

@Jayy4rl has applied to work on this issue as part of the Stellar Wave Program's 3rd wave.

Hi, I would like to work on this issue. ETA 4hours

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Jayy4rl to this issue.

[drips-wave]

Congratulations, @Jayy4rl! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on March 30, 2026.

🧑‍💻 @Jayy4rl: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊