mRemoteNG icon indicating copy to clipboard operation
mRemoteNG copied to clipboard
verified publisher icon mRemoteNG

Idea: allow Windows Account for encryption (Data Protection API/DPAPI)

Open My1 opened this issue 4 years ago • 10 comments

one cool option in my opnion would be that rather than using a password for encryption to use the windows account's possibilities for securing stuff itself, similar to what keepass can do https://keepass.info/help/base/keys.html at Windows User Account This Also at least seems secure as it apparently relies on a windows account being properly unlocked (e.g. resetting your password will grill the keys used and make the data inaccessible, so a warning would be good.) While this make the file less portable (obviously) the question is whether the connection file especially regarding passwords needs to be that portable in all use cases especially if a password manager is used in fact already. in fact especially considering that with DPAPI the windows password is part of the generation so it's a ton easier to enforce security on those, and obviously also more convenient since only one login is needed.

Expected Behavior

basically when encrypting to allow an option between password, Win Account or perhaps even both for the people who want even stronger security.

Current Behavior

Currently you can only use a password to encrypt the connection file.

Possible Solution

might be possible to look at how keepass does it.

Context

I would have thought it could be a good way to improve security in a way that wouldnt hurt most people (and the others dont have to enable it just like with the current encryption)

My1 avatar Mar 19 '22 17:03 My1

I like this idea. And if only the credentials are encrypted, the file should be portable to a degree, only the passwords would need to be re-entered (which shouldn't pose any issues except usability)

simonai1254 avatar Mar 19 '22 18:03 simonai1254

I dont know how the encryption works if it only crypts creds or everything but if it only crypts creds that would be an absolute masterpiece

My1 avatar Mar 19 '22 19:03 My1

I just know this kind of encryption from the "Microsoft Remote Desktop Manager" which had it implemented like that. And every time something was wrong with the user, I just had to re-enter the password once and everything was fine again.

The current implementation of mRemoteNG is just a way to obfuscate the settings, but (as far as I know) does not protect the credentials directly.

simonai1254 avatar Mar 19 '22 22:03 simonai1254

That should be possible to implement once profiles will go live, currently working towards such

Kvarkas avatar Mar 21 '22 09:03 Kvarkas

cool, looking forward to it.

My1 avatar Mar 21 '22 09:03 My1

2 years later...

any success with profiles?

My1 avatar Apr 11 '24 16:04 My1