recently i was looking into secrets management on desktop platforms,
and the current state is kinda disappointing!!!
say you are an application that wants to store secrets.
This is actually a very common problem,
since storing your internet passwords, access tokens,
or cryptographic keys in a plain-text file
that’s just hanging out somewhere
is clearly a bad idea.
You don’t want random things on or off your computer
to be able to read them without the user’s consent!
The simplest way to restrict access would be to just
encrypt this file with a password that the user supplied,
and then you just ask the user for this password
every time you need to access these keys.
The user can then decide every time whether they will
allow you access.
This is, however, really annoying.
Instead, you can also ask the operating system
to keep the data safe for you in a kind of encrypted vault.
I’ll start with the one that is least concerning: macOS.
On macOS you can use the Keychain Services API to manage keys.
You basically just ask it to store a key
and then you can retrieve it later.
It all works fine.
These systems aren’t really particularly interesting
in their intended use case.
The interesting part is what happens when you try to be sneaky
and try to look at other keys in the keychain.
Just take a little peek.
You will get a popup like this!
(Yes, even for the keychain manager application)
This is because every key in the keychain has an “access control list”
that restricts which applications are allowed to read the data.
If the application created the password entry,
then it will already have access.
Otherwise, it’ll cause a popup like that to appear.
Alright. So this does two things:
- application secrets are kept safe
from being accessed when you are not logged into your computer,
because the keychain is encrypted.
- application secrets are kept safe from being leaked
intentionally or unintentionally by other nosy or malicious
processes on your computer,
because doing so would require your consent in an access control popup.
The way the system identifies which application is currently
asking it for the key is a bit unclear to me,
but it seems to be
related to the code signature,
probably with a fallback to a hash of the binary.
Obviously, this system isn’t without
but generally, it’s a pretty decent system.
This was my baseline for comparison.
On Windows, the equivalent API is the Password Vault.
It also stores keys in encrypted storage,
but the second paragraph of
already highlights the issue here:
Apps running in an AppContainer (for example, UWP apps) can only access the contents of their own locker (for the current user). Apps not running in an AppContainer (for example, regular Desktop apps) can access all the user's lockers, including those of AppContainer apps.
Applications can just access each others’ secrets!
Preventing that was like, half the point of having a keychain!
It does note that UWP apps do have proper access control,
but given that nobody uses UWP, this is probably not very helpful.
This means that once your vault is unlocked
(which usually happens when you log in),
everyone can access everyone else’s secrets.
I’m not very familiar with Windows,
so I may be missing something somewhere,
but I added this key to the Credential Manager,
no password prompt or anything…
On the Linux side, there are of course several different standards for this.
A fairly common one is the Gnome Keyring, which has this in the
Can one application see another application's secrets?
Any application that executes with the same user's privileges can get access to any of the user's keyrings, and thus, can read secrets stored in any that are unlocked.
But SELinux provides finer control between applications?
SELinux is not yet integrated with Gnome Keyring. We need help to bring something like this to reality.
sigh… same issue…
well, at least they have a vague promise of improving it,
but given that this has been an open issue since 2009 and
was deemed to be of lower priority then,
I do not expect to see much happening here anytime soon.
At least KWallet is doing a bit better.
shows that while it does not have per-credential access control,
it does seem to have per-wallet access control.
Unfortunately, if I recall correctly,
most applications do not use their own wallets,
so they can still access each others’ credentials.
But at least the option is there,
so you can make your application secure with KDE.
Or maybe not. I’m not certain! Linux is kinda complicated.
The Gnome FAQ seems to imply that if you really wanted proper access control
you would need to use SELinux,
which is not something that is included in most desktop distros.
In general, I’m just mildly disappointed.
I suppose that if you really want to ensure that your application
is secure, you should keep the option to forgo the system keychain
and to simply just enter the darn password every single time >:/
Addendum: The Web
I also looked into whether the web had any kind of secure storage
functionality, and it looks like it mostly doesn’t.
There is, however, a relatively new standard called
that uses public-key cryptography instead of passwords to
Big Tech is touting this as the New Standard that will
replace passwords for good.
I wanted to know if you could use this system to store secrets as well.
Well, researching this was disappointing for a new kind of reason.
about whether this would be possible
would consist of cryptocurrency people who want to use it as key storage for
their blockchain databases and “web3 dApps”…