Closed bilelmoussaoui closed 2 years ago
Hi @bilelmoussaoui , thank you for the PR.
The doc you modify talks about Standard Backup Format, which contains one otpauth URI per line.
And Encrypted backups not supported in the table means the Encrypted backups are not stored in that format (obviously, totp URL doesn't support encryption).
To be compatible with Aegis format is off-topic for that doc.
Please correct me if I have any mistakes.
Oh I see. I thought it was about encrypted backups in general and not specific to OTP URI. Is there some "standard" way to encrypt those that would also be compatible with the browser extension?
I don't think we have a "standard" way for encrypted backups, yet. If any famous 2FA client has a proposal, we're glad to follow.
If you are interested in encryption tech details of this browser extension for compatibility, I'm glad to help.
That would be great if you could point me to at least to the implementation I can read. For now I will close this one as it is not a correct change
Here's an example of encrypted backup of this extension:
{
"9e524d6e-70c7-40c8-829e-bf3d5331e538": {
"encrypted": true,
"hash": "9e524d6e-70c7-40c8-829e-bf3d5331e538",
"index": 0,
"type": "totp",
"secret": "U2FsdGVkX1/BNH...",
"issuer": "Example",
"account": "alice@google.com"
},
"key": {
"enc": "U2FsdGVkX1+FcDGIr9WQ...",
"hash": "$argon2id$v=19$m=16..."
}
}
To decrypt the data, follow these steps:
encrypted
property value of the entry is true
.P
.P
with key.hash
by using Argon2 - verify method.S
with key.enc
and the password P
by using AES-256
.S
and secret
property value of the entry by using AES-256
.Some implementations:
Since 4.1, we do support encrypted backups using Aegis format