Importing the encryption key in Windows Desktop client?

[LeslieFH]

There is the --showdesktopkey option to export the Windows Signal Desktop encryption key from DPAPI, could you add the option to import an exported key to DPAPI? --replacedesktopkey or something like that?

It would enable the transfer of Signal Desktop between Windows installations, which was previously very simple but after somebody made a lot of noise on Xitter they finally "fixed the security flaw" and it's not possible anymore because the encryption key is now in DPAPI. With Linux, it's possible to export the key from the keyring and import on another installation, but I've seen no way to do it in Windows.

[bepaald]

That's not exactly how it works, the actual encryption key is not in DPAPI, just the key (or even just some of the key material) used to encrypt the encryption key is in DPAPI. I don't think I can change that, and if I could that would mean all other data encrypted by DPAPI would become un-decryptable.

The way to do this, would be to get the plaintext encryption key (as returned by --showdesktopkey), transfer that to the other Windows installation and encrypt it using that machine's DPAPI credentials, and put the result in Signal Desktop's config.json.

However, none of that is necessary (apart from the first step): Signal Desktop already does this for you. Signal Desktop still reads the old, plaintext key from the configuration file if it's there. So you can:

1. get the key with --showdesktopkey
2. transfer your Signal Desktop data
3. open the config.json file and replace the "encryptedKey":"[long_encrypted_key]" with "key":"[plaintext_key_from_step1]"

Done!

Note:

• On first run, Signal Desktop will read the plaintext key and immediately encrypt it using the available DPAPI credentials and rewrite the configuration file. So this is not a one-time permanent solution, whenever you want to move Signal Desktop you would need to repeat this process.
• I do not know if Signal Desktop will ever remove the code that reads the old key value. I can't imagine they would, I see no reason to, but I guess this might stop working. (at that point I could write a little function to encrypt the key)

Let me know if this works for you. Thanks!

[warp-9000]

Hey @bepaald,

I can confirm your steps worked. I have successfully ported my Signal Desktop installation from an old Windows install to a new Windows install. Thanks much! :)

[bepaald]

Thanks for the feedback @warp-9000!

I'm going to assume this issue is solved. @LeslieFH: if this isn't working for you or you have some other question just let me know, this can always be reopened.

Thanks!

[LeslieFH]

It works perfectly, unlike Windows, the installation of which proved to be unexplicably annoying. :-) But now I have two instances of Signal Desktop on two different laptops, both synced to my phone client, excellent, thank you very much.