All geek questions in one place

How to store a secret key or protected information / data using Electron

I am developing a standalone cross-platform application using an electron.

I want to store personal data, such as a private key, personal data for some execution in the application. Execution, such as data encryption / decryption.

or

I want to store some protected information, such as user password, proprietary application data

Is there any possible way to keep such protected information and the application user is not able to get any way?

+9
source share
3 answers

There is an NPM module created for the Atom editor (for the Electron application) called Keytar. It uses native OS APIs for secure storage. eg. Keychain on OS X.

https://github.com/atom/node-keytar

+5
source

I do not know the specific technologies that you are using, so my answer will mainly point to a problem with the keystore.

Firstly, two big points:

  • Even with the help of some heavy specialized equipment (for banks and other critical systems, the security modules -HSM are used for this), there is always a risk of getting a stolen key. What you decide to do depends on how important your key is and how willing you are to protect it. I will try to avoid mentioning hardware solutions because for most people they are usually redundant.
  • There are, however, good practices you can follow: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Now, some advise. No matter what you do, do not store your key in clear text (and much less hard-coded). If you use public key cryptography, PKCS12 files (usually with the extension .p12 or .pfx) are the standard way to store data. They are usually password protected.

Here you are faced with a problem: if you have a key, you need to use it. If you use the key, it will be in "plain text", at least in RAM. So you need a way to enable access that keeps the key as isolated as possible. If actions are initiated by the user, everything is relatively good, because you can request a password before using the key.

If the actions are automated, you need to find a way to store the password. Even security software, such as some PGP implementations, has approaches to this, which is not very nice:

  • Request a password at the command line: command -password my-password. This, put in the bat, works. But the password is saved and, depending on the operating system, even accessible using the history command.
  • Keep it in a file: at least you do not leave a copy, but the password is still in clear text.
  • Encrypt it using system data as the encryption key: the password is relatively secure, but you lose portability, and the attacker with access to the computer will not be stopped by the control.
  • Request a password if one of the services is turned on: a little more reasonable, but not always possible (if the service is critical, but one person has a password, availability may be compromised).
  • Unusual things can be done by decrypting the threshold, but probably too much for this case.

I do not provide details for each parameter, because what you can do may depend on what your infrastructure allows and how you use your system, but I hope this helps as a reference to the various parameters. In any case, they do not perform any cryptographic functions on their own . Bad crypto is worse than no crypto at all.

+4
source

Avoid storing personal or server data, such as a private key, in an electronic application. Electron data and the application file can be accessed from the app.asar file, and the electron does not protect the contents at all. There is no such mechanism for protecting code in an electron. However, NW.js support source code protection, you can read it here . So, in my opinion, storing personal accreditations, such as signing a certificate or private key, in electronic source code is unsafe.

As another way, you can save this data using node-keytar in the keychain for Mac, credential manager on Windows, and Gnom Keyring on Linux using the native API. But, nevertheless, these credentials are accessible to the user and do not make sense for storing personal tokens (that is, a token for a private GitHub repository that has administrator rights). It is up to the user. If he / she is experienced enough to understand what you have stored in the Keychain, Credential Manager or Keychain, they may use it incorrectly or use it against you. So the final answer is:

Do not store credentials / private key or administrative tokens in an electronic source or using node-keytar.

0
source

Source: https://habr.com/ru/post/1245774/

More articles:


All Articles