KeePassium icon indicating copy to clipboard operation
KeePassium copied to clipboard
verified publisher icon keepassium

Enforce keychain-defined protection logic on items stored in keychain

Open keepassium opened this issue 3 years ago • 0 comments

Currently, sensitive data in the keychain is protected by three factors:

  • App logic — once KeePassium is unlocked, it can read/write/delete keychain items without additional restrictions.
  • kSecAttrAccessibleWhenUnlockedThisDeviceOnly attribute
  • Additional encryption by a device-bound key stored in the Secure Enclave

It would be useful to compliment the app logic with keychain-based verification, where the system itself would verify user-defined access conditions.

For example, the user could configure the app to require a biometric scan (or PIN code) to open the database. Instead of doing the check in the code, the app should set the corresponding attribute on the keychain item. This way, access control would be enforced by the system rather than the app.

This would be a prerequisite for #42 and #169.

[thanks, Konstantin and Andy]

keepassium avatar Dec 22 '22 23:12 keepassium