search

cryptomator / cryptomator-win

Cryptomator .exe installer for Windows
GNU General Public License v3.0
21 stars 12 forks source link

Stored passphrases are not deleted when uninstalling #3

Open tobihagemann opened 7 years ago

tobihagemann commented 7 years ago

From @RiseT on December 14, 2016 22:4

Basic Info

Description

I've noticed that stored passphrases are not deleted when uninstalling Cryptomator. So when you reinstall Cryptomator (possibly after months, years, ...), the passphrase field is still filled with the passphrase.

I'd just like to point this out. I'm aware that this comes down rather to a design decision than a bug, but deleting them when uninstalling would be the more secure alternative imho.

Copied from original issue: cryptomator/cryptomator#414

tobihagemann commented 7 years ago

Hey @RiseT! Just moved this here to the Windows installer repository, because we can't/won't fix this for other operating systems. But we can certainly also delete ~/AppData/Roaming/Cryptomator/ in the uninstaller.

RiseT commented 7 years ago

Question: Isn't the passphrase for each vault stored in some OS-maintained key chain? So does the passphrase stay there after uninstalling? And is a new passphrase added to that key chain with each reinstallation (so there are several passphrases entries for a single vault stored in the key chain after a couple of reinstallations)? Or is the old one overwritten?

tobihagemann commented 7 years ago

We're using Windows Data Protection (aka. DPAPI). "Arbitrary data can be encrypted using this API, although storing the encrypted data is up to the developer." [cited from Stack Overflow] That's why we're putting the encrypted data in ~/AppData/Roaming/Cryptomator/keychain.json.

There shouldn't be multiple passphrases stored in the keychain after reinstallation. If you create a new vault or add an existing one to Cryptomator, a randomly-generated ID will be stored in settings.json for the vault. This is also the association for keychain.json. I don't think a reinstallation of Cryptomator will have any effect on both these files, because they don't get deleted in the current uninstaller.

Btw, from the Stack Overflow article I can see that there are other options to store passwords securely on Windows >=8: https://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh465069.aspx

Hmmm... could be something to discuss for a future version...

overheadhunter commented 4 years ago

19 is more severe than #3. If we can figure out how to ask the user whether all settings should be deleted, this would be ideal. Otherwise this is a wont-fix issue.

infeo commented 3 years ago

A more recent approach to store credentials would be using the Credential Manager API: https://docs.microsoft.com/en-us/windows/win32/secauthn/credentials-management