How is the data encrypted and/or uses OS's password management?

[ktalebian]

Keytar never asks for a computer password when you read/write. For example, I can do

keytar.setPassword('MyDefaultService', 'accountName', 'password');

and then later at any point anywhere on the OS have another .js file and do

keytar.findCredentials('MyDefaultService')

And this just gives me all the username/password, without ever prompting for the Vault's password. I am not running my script as sudo.

I'm confused then whether data is actually encrypted or how it uses the OS's default password management vault. Because it looks like any script running on the same computer would have access to the entire vault assuming they have the service-name.

[xmedeko]

@ktalebian This question is more about OS details (Windows Credential Manager, MacOSX Vault, Linux libsecret). keytar is just a Node.js wrapper for OS functions.

Generally, the protection is against data theft only. If an attacker has access to your data but cannot log in, then your passwords are safe. The Vault is unlocked by a successful login only. If the attacker can login as the user, then the attacker knows all passwords. But there's not other protection which can protect you against such attack.