So I had a little rant a while ago about password security, about how users who don’t have a keyring won’t be able to use the app and how gnome-keyring has broken my app completely.
The reality is harder than I thought, there’s no real way to securely store and retrieve a password on a computer without requiring the user to enter the password every time, and I understand it must have been hard for the guys and gals at Gnome to come up with a solution.
In the windows world I would have the Data Protection API which conveniently summarises the issues I have:
For nearly all cryptosystems, one of the most difficult challenges is “key management” - in part, how to securely store the decryption key. If the key is stored in plain text, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on ad infinitum. DPAPI allows developers to encrypt keys using a symmetric key derived from the user’s logon secrets, or in the case of system encryption, using the system’s domain authentication secrets.
Scratching my head for months to come to the same conclusion outlined in the wikipedia article linked above was a great waste of time yes?
Here is where I came to the inevitable conclusion:
It’s not possible to store and retrieve the password in an encrypted fashion without requiring the user to enter the password every time to unlock the encrypted password.
How do I, humble app developer get around this problem? An OS level API.
Requiring a 3rd party service to store the password means that I remove myself and my app from the equation when it comes to password security and gnome-keyring is supposed to be that app, and I’ve been let down that something like the Data Protection API doesn’t exist.
So for now the only thing I can do is recommend that you have a login to your computer and you lock it when you’re out of the room, I’ll upgrade to the better password management store the moment Gnome or Canonical or Red Hat or whoever releases it.
In the meantime LIUM will now auto update once you open it and once every hour thereafter that it is open.