Built-in item encryption/decryption

hluk / CopyQ

Clipboard manager with advanced features

GNU General Public License v3.0

8.55k stars 439 forks source link

Built-in item encryption/decryption #641

Open hluk opened 7 years ago

hluk commented 7 years ago

Currently there is ItemEncrypt plugin which handles item encryption/decryption and passwords through GPG client. Big downsides are:

user have to install GPG,
CopyQ uses it's command line which may change (it isn't API).

More appropriate would be to use (and bundle with the app) a simple library (or two) with stable API to handle encryption/decryption and passwords.

Libs to try:

GPGME (docs) - needs to be compiled on Windows

smaragdus commented 7 years ago

Thanks for the suggestion. gpg4usb seems to be using GPGME library which might be ideal but I would need to build the library for Windows. I'll check this out later.

Any news?

hluk commented 7 years ago

No news. I haven't got the time to work on this.

It would be nice if someone can help implementing this. What's needed is either to replace current ItemEncrypt plugin without breaking existing encrypted data or create new plugin (this would be a lot safer).

vatterspun commented 6 years ago

I did want to add that there is a portable GPG program offered by PortableApps that would forego having to install GPG to the default directory: https://portableapps.com/apps/security/gpg-plugin-portable

That way, the only function necessary would be to just point GPG to the directory and it would run akin to a plugin. This is useful if you're running CopyQ off a USB drive or -- like me -- from an encrypted VeraCrypt volume.

SamHasler commented 4 years ago

There are C++ bindings for gpg that are directly supported by the GnuPG team: https://wiki.gnupg.org/APIs

hluk commented 4 years ago

There are C++ bindings for gpg that are directly supported by the GnuPG team: https://wiki.gnupg.org/APIs

The link to C++ bindings on the page is broken.

I have no issues using a C library instead but I couldn't find one that provides binaries or is simple to build on the supported systems and has the required functionality.

It would be great to use GPGME, but last time I had problem finding binaries for Windows (and macOS). I think I might also need an agent for password entry.

It might be easier to use libsodium but I would need to figure out how to safely handle password entry and encrypting the private key.

Note: A GPG agent can remember the password for some time and -- presumably -- the password cannot be easily retrieved from memory by an attacker (libsodium provides some function to help with securing memory).

SamHasler commented 4 years ago

Did you click the third party binding link? The tarball for the 1.13.1 release of gpgme appears to contain what I thought you'd need: https://gnupg.org/download/index.html#gpgme but I was assuming you would be building it from source.

It looks like it may depend on other binaries installed on the system though: https://github.com/gpg/gpgme/commit/39052913f2154fa8e9575727e27d4101ef8b6460