Skip to content
This repository has been archived by the owner on Apr 2, 2024. It is now read-only.

Encrypt public keys / key list #115

Open
krautsource opened this issue Oct 12, 2013 · 3 comments
Open

Encrypt public keys / key list #115

krautsource opened this issue Oct 12, 2013 · 3 comments

Comments

@krautsource
Copy link
Contributor

For added security on untrusted or semi-trusted machines (like at the workplace or a family computer), do you guys think that encrypting the key list would be reasonable? Like AES-encrypting all data in localStorage using a user-supplied passphrase.
That way, the user could leave his/her key list on the computer without having to worry about others gaining access to the private key or public keys (see threat model in the wiki; an attacker could already gain information just from the list of public keys in the browser's localStorage).
I think this should be possible using openpgp.js.

Any thoughts on this? :-)

@niklasfemerstrand
Copy link
Owner

Imho it's ratherr uninteresting to enhance security on untrusted machines. Those users are already fucked anyway, there's no patch against that.

Crypting localStorage is an anti-forensics measure, but GnuPG doesn't support it so it'll be inconsistently used in only the OpenPGP.js driver, if it were to be implemented.

@krautsource
Copy link
Contributor Author

GnuPG doesn't support it so it'll be inconsistently used in only the OpenPGP.js driver, if it were to be implemented.

Hmm... to be honest, I see no harm in this.
But a feasible alternative for the user would be to use Firefox Portable on a (encrypted) USB thumb drive, for example. Much less convenient, but more secure than encrypted localStorage on the machine itself. Come to think of it, maybe we should add a "best practices" section in the documentation/wiki?

@jseidl
Copy link
Contributor

jseidl commented Jan 17, 2014

I think there is no harm on having a private key exposed. It's useless without the password. Just don't remember it on session. Agree with @encomiast for "best practices" section...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants