bitw icon indicating copy to clipboard operation
bitw copied to clipboard

Published 20 hours ago verified publisher icon mvdan

Requesting code reviews from security engineers

Open mvdan opened this issue 5 years ago • 3 comments

I'm not an expert at security by any means. I know enough to get this working, but I'd like some reviews and feedback before people start using this for their own passwords.

Current TODOs:

  • The password and decryption key are stored in memory for the lifetime of the process. Should we use https://github.com/awnumar/memguard?
  • The D-Bus service only implements the plaintext session encryption algorithm. Should we implement dh-ietf1024-sha256-aes128-cbc-pkcs7 and discourage the use of plain?
  • The encrypted sync data is stored on disk as-is. I assume this is fine because bitwarden-cli does the same, but I'm not 100% sure.

mvdan avatar Jun 23 '19 16:06 mvdan

At minimum bitw should use mlock(2) to prevent the password from being swapped.

Mic92 avatar May 19 '20 07:05 Mic92

Yes, that's what libraries like memguard above do.

mvdan avatar May 19 '20 09:05 mvdan

D-Bus encryption to not use "plain" was implemented in https://github.com/mvdan/bitw/issues/17.

mvdan avatar Jan 25 '21 12:01 mvdan