Skip to content
This repository has been archived by the owner on Nov 17, 2023. It is now read-only.

Use encrypted database for application password #3108

Draft
wants to merge 1 commit into
base: next
Choose a base branch
from

Conversation

mrfelton
Copy link
Member

@mrfelton mrfelton commented Nov 5, 2019

Description:

Use encrypted database for application password.

To lock:

  1. user supplies password
  2. generate random cypher key
  3. encrypt database with cypher key
  4. encrypt cypher key with supplied password
  5. store the resulting encrypted cypher key in secure storage (keychain etc)
  6. store a hash of the user password in the database (encrypted)

To unlock:

  1. user supplies password
  2. fetch encrypted cypher key from the database
  3. decrypt with the user supplied password
  4. decrypt the database using the resulting encryption key
  5. compare hash of user supplied password with (now decrypted) password hash retrieved from the database

Notes

  1. If you delete the encrypted cypher key from secure storage you will not be able to access the app. Technically, you could hack the codebase to bypass the check for this, but encrypted data will not be decrypted and the application would be unusable as a result.

TODO

  • basic implementation
  • migration path for 0.6 users with password enabled
  • extend to encrypt additional data (currently only encrypts database password hash)

Motivation and Context:

  • Cross platform support for password feature (workaround useless windows credentials vault)
  • Ability to encrypt selected database entries
  • Do not store hashed user passwords unencrypted
  • Re-encrypt encrypted database entries after changing password

How Has This Been Tested?

Manually

Types of changes:

Enhancement

Checklist:

  • My code follows the code style of this project.
  • I have reviewed and updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes where needed.
  • All new and existing tests passed.
  • My commits have been squashed into a concise set of changes.

@mrfelton mrfelton added type: enhancement New feature or request scope: security issues that are security related labels Nov 5, 2019
@mrfelton mrfelton requested a review from korhaliv November 5, 2019 13:34
@mrfelton mrfelton self-assigned this Nov 5, 2019
@mrfelton mrfelton added this to the v0.7.0-beta milestone Nov 5, 2019
@coveralls
Copy link

coveralls commented Nov 6, 2019

Coverage Status

Coverage decreased (-0.1%) to 22.452% when pulling bb26060 on mrfelton:feat/app-password into 5e83987 on LN-Zap:next.

@mrfelton mrfelton marked this pull request as draft April 9, 2020 06:05
@mrfelton mrfelton changed the title [WIP] Use encrypted database for application password Use encrypted database for application password Apr 9, 2020
@mrfelton mrfelton removed this from the v0.7.0-beta milestone May 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
password-system scope: security issues that are security related type: enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants