Update 'src/profile_encryption_and_storage.md'
This commit is contained in:
parent
bfc560e9d9
commit
4e4b04c48d
|
@ -1,6 +1,6 @@
|
||||||
# Profile Encryption & Storage
|
# Profile Encryption & Storage
|
||||||
|
|
||||||
Profiles are stored on locally on disk and encrypted using a key derived from user-known password (via pbkdf2).
|
Profiles are stored locally on disk and encrypted using a key derived from user-known password (via pbkdf2).
|
||||||
|
|
||||||
Note that once encrypted and stored on disk, the only way to recover a profile is by rederiving the password - as such
|
Note that once encrypted and stored on disk, the only way to recover a profile is by rederiving the password - as such
|
||||||
it isn't possible to provide a full list of profiles a user might have access to until they enter a password.
|
it isn't possible to provide a full list of profiles a user might have access to until they enter a password.
|
||||||
|
@ -10,6 +10,8 @@ it isn't possible to provide a full list of profiles a user might have access to
|
||||||
To handle profiles that are "unencrypted" (i.e don't require a password to open) we currently create a profile
|
To handle profiles that are "unencrypted" (i.e don't require a password to open) we currently create a profile
|
||||||
with a [defacto, hardcoded password](https://git.openprivacy.ca/cwtch.im/libcwtch-go/src/branch/trunk/constants/globals.go#L5).
|
with a [defacto, hardcoded password](https://git.openprivacy.ca/cwtch.im/libcwtch-go/src/branch/trunk/constants/globals.go#L5).
|
||||||
|
|
||||||
|
<!-- Can cwtch be updated to randomly generate a password and store it on the devices keychain/keystore (for devices/OS with a keychain API)? Also I'm not sure how secure OS level keychains are but hard coded passwords always become campfire stories years later. -->
|
||||||
|
|
||||||
This isn't ideal, we would much rather wish to rely on OS-provided key material such that the profile is bound to a
|
This isn't ideal, we would much rather wish to rely on OS-provided key material such that the profile is bound to a
|
||||||
specific device, but such features are currently patchwork - we also note by creating an unencrypted profile, people
|
specific device, but such features are currently patchwork - we also note by creating an unencrypted profile, people
|
||||||
who use Cwtch are explicitly opting into the risk that someone with access to the file system may be able to decrypt
|
who use Cwtch are explicitly opting into the risk that someone with access to the file system may be able to decrypt
|
||||||
|
|
Loading…
Reference in New Issue