Password stored in clear on disk + clear passwords database file remains as a leftover file after Vorta uninstall

[RoGeorge]

• Passwords of the created Borg repositories are stored in an internal database table, unencrypted, in plain text (file settings.db, table repopassword). Storing passwords in clear is a security vulnerability.
• If the repository directory is deleted, the password will remain stored in the database, probably forever
• If Vorta is uninstall the database file remains as a leftover on the disk, in
• If Vorta is reinstalled, the old passwords are still remembered

My setup is Kubuntu 20.04 LTS with latest updates, autologin is on, KDE Wallet subsystem is disabled Borg was installed with "sudo apt install borgbackup". Vorta was installed with "pip3 install vorta".

Steps to reproduce:

1. Disable KDE Wallet from Kubuntu, by opening "KDE Wallet" GUI and uncheck the "Enable the KDE wallet subsystem" checkbox in the "Wallet Preferences" tab and apply the changes.
2. Install 'sudo apt install borgbackup pip3 install vorta'
3. Open Vorta, create a new backup repository, leave all GUI settings default
4. Unlink the repository or delete the repository folder
5. Uninstall Vorta 'pip3 uninstall vorta'
6. Go to file ~/.local/share/Vorta/settings.db and browse the content of its database table called 'repopassword'. The password used at step 3 can be read in clear, as a record in that table

Issues:

• password stored in clear, in a database file on the disk
• password database file remains on the disk as a leftover file after uninstalling Vorta

[m3nu]

Passphrase storage in the database is a fallback, if no better option is available.

Settings are preserved, since you could just reinstall Vorta some other way.

The passphrase is preserved, since losing it will cut you off from your backups. I don’t see an issue with this for our system keychain integrations.

I do see why you take issue with it ending up in a settings DB (though Borgmatic also does this). So we would probably merge a simple PR that removes the passphrase IF the fallback to the settings DB is used.

[RoGeorge]

For issue 1, pass stored in clear, my guess is there are already ways to avoid that and still use SQLite as storage, but I've never tried.

Preserving the passphrase or else by losing it one will be cut off from all backups doesn't hold as an argument, since a failure of home disk will also render all the backups useless, therefore the end user must know the password for each borg repo.

This issue was open more as a FIY than as bug, its point is: storing passwords in clear should be avoided. Thank you for considering it.

[m3nu]

Agree that it should be avoided. That’s why we added support for most Linux and macOS system keychains.