FreeOTPPlus icon indicating copy to clipboard operation
FreeOTPPlus copied to clipboard
verified publisher icon helloworld1

FR: encrypt token secret using user provided password

Open romeokienzler opened this issue 4 years ago • 9 comments

Encrypt export using e.g. OpenPGP or OpenSSL library. Otherwise the file can be read and stolen as residing on the file system.

Workaround: I encrypt the file after export using Openkeychain and then upload it to a cloud provider for backup. But while the file resides on the FS unencrypted it can be read by other apps.

romeokienzler avatar May 06 '21 13:05 romeokienzler

Isn't this a duplicate of #122, @romeokienzler?

Minoru avatar May 06 '21 13:05 Minoru

encrypting files for export is important and necessary.

OmlineEditor avatar Jun 04 '21 21:06 OmlineEditor

Agreed. I plan to use a symmetric encryption with user password to encrypt all the app data and exports. The main issue is the backward compatibility. I need to make sure to also support unencrypted data if user choose to, and also during app upgrade.

helloworld1 avatar Jun 06 '21 04:06 helloworld1

do encryption even if the phone does not have a screen lock at all and you only need to turn it on to access the phone. please take this into account when designing

OmlineEditor avatar Jun 06 '21 18:06 OmlineEditor

I hope the encryption will be completely independently from system lock /account meaning you can have encryption and password without a screen lock. The biometrics can be used to login faster.

helloworld1 avatar Jun 06 '21 22:06 helloworld1

@helloworld1 sorry for the duplicate and the late reply - did you have a chance to look into the issue? just created a backup and encrypted with "openkeychain" - little concerned that the json is lying around unencrypted for 30-60 seconds :)

romeokienzler avatar Jul 20 '21 22:07 romeokienzler

@romeokienzler Encryption is considered. There are some major change in the codebase to make the storage more flexible. The new encryptionType field in db will be used to indicate if the data is encrypted or not https://github.com/helloworld1/FreeOTPPlus/blob/master/token-data/src/main/java/org/fedorahosted/freeotp/data/OtpToken.kt#L19

And yes, enternal tool like openkeychain is good to use before the encryption is fully implemented in FreeOTP+

helloworld1 avatar Jul 21 '21 05:07 helloworld1

Any news on this issue? If not I would try to implement a proposition for symmetric encryption with a user password

Crustack avatar Jul 15 '22 17:07 Crustack

It's not being implemented now. Feel free to contribute. The room database has a field indicating the row is encrypted or not. Currently all are plain text though.

The integration of fingerprint authentication is the challenging part. Probably we can do in a separate PR.

helloworld1 avatar Jul 16 '22 20:07 helloworld1