Closed glocalglocal closed 3 years ago
@glocalglocal I'd agree to that. Would be a great option to have seamlessly syncing options across cloud in an encrypted format.
...or at least the app could facilitate syncthing to do the syncing.
In the next release, the export functionality will use the Storage Access Framework. This will allow you to select cloud storage to store your exported vault, in addition to local storage.
I'm also experimenting with a new automatic backup feature for Aegis. The idea is to allow users to select a folder through the same framework and to write periodic or event-based backups of the vault to that folder. However, it will depend on the cloud provider whether this'll work or not. Apps of cloud providers need to support the ACTION_OPEN_DOCUMENT_TREE intent. This is a different intent than the one used for the export feature, which is ACTION_CREATE_DOCUMENT. So far, even Google Drive doesn't support it, but that feature appears to be in the works: https://issuetracker.google.com/issues/135636079, https://issuetracker.google.com/issues/139965899.
Could Nextcloud/OwnCloud/WebDav support also be considered?
Nextcloud supports the ACTION_OPEN_DOCUMENT_TREE intent and thus will be supported.
+1 for Sync feature. I use a different handset for work and currently am manually exporting the encrytped file to Google drive and then importing it to the second device.
A sync feature through Gdrive or Dropbox is the only thing missing in Aegis. :)
Hope to support webdav synchronization.
@MarkoXD Yes.
I have not tried the latest Google Authenticator, but the description seems to say that it supports automatic syncing between devices.
So, yeah, I am eager for Aegis to support sync.
Google Authenticator does not support automatic syncing between devices. It just supports displaying QR codes that other devices can then scan. Aegis will also be able to scan those in the next release.
@alexbakker Hi. Does the 1.2 release (at time of writing that is what I can see on the store) support exporting/backing up to a cloud provider (e.g. OneDrive/Google Drive/Dropbox) ? I can't currently see a way of doing it (and tangentially related is #505 which would also be solved if there was access to a cloud provider)
@rnc Yes, exporting to a cloud provider is supported if you have the OneDrive/Google Drive/Dropbox app installed on your device. Backups are a different story, because very few cloud providers support selecting a folder through the Storage Access Framework. See my comment about that here: https://github.com/beemdevelopment/Aegis/issues/258#issuecomment-570906665. The only provider I'm aware of that supports this is Nextcloud, but it's not working because there appears to be a bug on their end: https://github.com/nextcloud/android/issues/303#issuecomment-576667070).
@alexbakker Thanks for the reply.
Well, this is strange. I had rebooted my phone and as per your above image Google Drive wasn't showing up (and neither was Dropbox/OneDrive for that matter). I started Google Drive and now its showing up, although OneDrive/Dropbox isn't for export. I have also tried using QuickEdit and Local Storage to test how other apps behave. Intriguingly the import from another apps file correctly shows all cloud providers. So, it seems there is different behaviour between browsing(opening) a file versus creating (export) and its somewhat inconsistent between various applications and the different intents on what is available :-(
Regarding folders, for export it seems I can navigate to different folders within Google Drive and gives me a option to create a folder. However for backup I can't browse any cloud providers.
@alexbakker On my Pixel 3a, Import is able to access cloud storage providers, but not Export–see Issue #507
I tried to backup to nextcloud but got an error : "com.beemdevelopment.aegis.vault.VaultManagerException: createFile returned null" :/
Oops, didn't saw this one. Thanks :)
Sorry to ask this here. Is Aegis vault automatically backed up and restored by Android's backup service (in case of factory reset for example)? If so, how can this be disabled? I really don't want a whole vault to be in google drive against my wishes, would rather make my own backups.
@Rendi-boi No, Aegis does not use Android's backup service. We've disabled that feature and there is currently no way for users to enable it. That may change in the future, but it would certainly not be enabled by default.
@Rendi-boi No, Aegis does not use Android's backup service. We've disabled that feature and there is currently no way for users to enable it. That may change in the future, but it would certainly not be enabled by default.
Thank you very much for the confirmation. I was a bit worried that every app is backed up to the cloud against user's wishes, when after factory reset and backup restore andOTP had all my vault, settings and codes like i left them before the reset, despite having the option for Android sync disabled. Will switch to Aegis in this case.
@Rendi-boi @alexbakker As a security professional, I don't support forcing users to do anything, but blocking Google Auto Backup is just as wrong, because for the great majority of users it's the safest course of action. Losing a vault is far more likely than Google compromise and far more likely to cause serious harm.
Part of the problem is that non-experts do not understand security issues, relying instead on invalid assumptions (a major reason there are so many security compromises, like the recent Intel breach):
These are reasons why, as a security professional, I think Aegis should
Hope that helps, John
@JNavas2 I'll briefly address your points:
As for your recommendations, 1 & 2 are already the case. I don't see 3 happening, but we may make Android's built-in backup an option in the future.
@alexbakker Thank you for the detailed reply. My responses:
Bruce Schneier (recognized security expert):
What happens when the cops ask Google for a copy of your backups? Bad actors external to Google aren't the only ones to defend oneself against.
@tomkel If it's a lawful order, then Google probably hands it over, just as you would if ordered to do so, no? And if the file is encrypted, you would then probably be ordered to turn over the encryption key. You could then have your day in court. So, with encryption, I don't see a real law enforcement issue. Or am I missing something?
Enable Google Auto Backup by default (with a strong warning against disabling).
It shouldn't be enabled by default, most people using Aegis are here for a reason and not be dependent of Google Services as much as they can is one of them. However strongly suggest to setup backups (Google/NextCloud/Whatever) at the first opening should do the trick.
Your encrypted vault is safer with Google. While far from perfect, Google is very good at security.
If we take for granted that the vault passphrase is strong! Google can be good at security, sure, but if the vault leak due to human error (crappy pass on google account, no 2FA, shared to the wrong google account, etc...) and have a crappy pass, you're just screwed. My argument is that it's way more important to have a strong passphrase for your encrypted vault than just have a "secure location". Since if it leaks, you're going to revoke your tokens and make new ones before anybody could unlock your vault.
So yeah it's probably safe with Google, but it's not safer and it goes the same for everything in this context.
@JNavas2 I consider that a security vulnerability. Where I live, the federal government wields the state against its political enemies. The threat model here should include a hostile service provider. Which includes code that is not open source and cannot be audited by a third party.
@skid9000
"Assumption is the mother of all screw-ups."
@tomkel Again, "if the file is encrypted, you would then probably be ordered to turn over the encryption key. You could then have your day in court. So, with encryption, I don't see a real law enforcement issue." I still don't.
Interesting discussion, definitely got me thinking. I'm not knowledgeable enough about security to argue, it's just if a person researches and chooses to use authentication app other than the Google's default one, then he probably should be able to make a choice how his backups should be managed. Having such option available shouldn't be an issue. AndOTP has such option to enable use of Google's backup service, it's just it did backup everything even if that option was unchecked, that's my only complaint and the reason why i asked if Aegis does this too. Probably a bug on AndOTP's side, but still. There should be a clear indication where user's data goes or if the backups are entirely up to him. At least that's what i think, could be wrong.
@JNavas2 Your responses to me seem to be descending into using condescending language, using quotes from Bruce Schneier and misinterpreting/ignoring parts of what I'm saying. I'm going to end the discussion here. I don't think you and I would actually disagree on most security topics, but we do disagree on automatic backups to Google Drive, and that's fine. We go to pretty great lengths to make Aegis as secure as possible, and I don't think you've illustrated in the least that's not the case. Automatic backups to Google Drive by default just don't fit in that model.
Some bad news: it looks like Google will not add full support for the Storage Access Framework in Google Drive. See: https://issuetracker.google.com/issues/139965899.
Some bad news: it looks like Google will not add full support for the Storage Access Framework in Google Drive. See: https://issuetracker.google.com/issues/139965899.
Does this mean that this feature will not be implemented, or maybe a workaround? I'm loving the app design and functionality, keep of the great work, it's definitely appreciated!
We've just released v1.4-beta2, which should fix the issues people were seeing with automatic backups to Nextcloud. Please let us know if it now works for you!
(Automatic) backups are excellent but syncing between devices would go a lot further. Authy's great for this. I hope that's on the roadmap.
With the automatic backup feature working, perhaps a semi-automatic import feature would be enough? Check the last export location (Nextcloud, Dropbox, Syncthing folder, etc) for a newer archive and prompt the user to import / overwrite the current device. Not as seamless as true syncing but very functional for the technical users needing OTP.
@Rendi-boi No, Aegis does not use Android's backup service. We've disabled that feature and there is currently no way for users to enable it. That may change in the future, but it would certainly not be enabled by default.
I actually came here looking for this specific backup option (preferably paired with a distinct backup password). Google (like Apple) uses hardware security modules to encrypt backups, complete with protections against brute forcing. Is there a timeline or criteria for re-enabling this feature?
@indolering Yes, an option to enable participation in Android's backup system will be available in the next release.
Somebody mentioned this in the thread already, but then it seems the discussion focused on Google drive instead, so let me reiterate the question...
...is there any plan to implement background syncing via nextcloud the same way joplin does? That would be: every time you modify the vault, the vault gets backupped (old backups are stored for a time that you choose in the settings), all clients regularly import the latest backup.
@quasipedia That's currently not planned, no.
Ok, thank you for the answer. Even if this feature useful to me to stay out of the Google ecosystem won't be implemented, thank you for all the great work on this project! 😍
Ok, thank you for the answer. Even if this feature useful to me to stay out of the Google ecosystem won't be implemented, thank you for all the great work on this project! 😍
Backups to anything using the storage framework is already supported, you would just need to add an option forcing backups to occur after every change.
Edit: except that wouldn't handle syncing changes made in other clients :p.
you would just need to add an option forcing backups to occur after every change.
This already happens if you enable automatic backups in Aegis.
Since Aegis now supports automatic backups to SAF and participation in Android's backup system, I think it's time to close this.
I can not back up any more with nextcloud... The one feature why I use this program, why?
@Ladee1 Please provide as many specifics as possible, so that we can try to help out. What makes you say that it doesn't work? Does Aegis show an error message?
In case anyone has the same issue I had with backing up to nextcloud, make sure your Nextcloud android App has the proper permission from "parameters/manage automatic send" and allow the nextcloud app to manage all files. Or directly in the app properties, permissions/files, set to "all files". This will enable backgroud backup done from aegis to function properly.
Was struggle to understand simple way to sync backups. Nextcloud is terrible solution. Found much easy way. Just install Autosync Google Drive and sync backups in the fly with your google drive.
I'm confused. Is this still not a feature in 2024? Can I still not pick my own choice of cloud provider to backup my vault to?
It would be useful to sync data across devices using cloud services like Joplin does. As long as the data are encrypted, they can be placed even on Dropbox.