⚠️SecretStorage secrets disappeared⚠️

[scale-tone]

Does this issue occur when all extensions are disabled?: No

• VS Code Version: 1.82.2 (user setup)
• OS Version: Windows_NT x64 10.0.22000 (human-readable name is Windows 11 Enterprise)

---

I'm doing KeeShepherd extension, one of the features of which is a GUI to VsCode SecretStorage.

Today I noticed that some of my secrets stored there are not accessible anymore. The get() method returns undefined when trying to get their values.

I can still see them in Windows Credentials Manager:

, but now have no way of retrieving them. When trying to retrieve them with KeeShepherd, I can see that something is definitely happening (the Modified column in Credential Manager changes to Today), but still values are not returned.

Most interesting is that this happened to only some of my secrets. Some others are still readable, and I am unable to detect any pattern.

My assumption is that this happened after autoupgrading to the recent v1.82.2 (presumably due to recent SecretStorage refactorings).

I made experiments on my other laptop (Windows 10), where I also had a VsCode with some secrets stored there. VsCode autoupgraded, secrets disappeared from Credential Manager, but are still visible and accessible in KeeShepherd. So it seems that there everything went as planned.

Is it a bug in the migration logic? Is there any way to debug/troubleshoot? Is there any way to get my secrets back (cause I certainly miss them)? Can we think of any workaround, so that my users do not run into the same issue?

[TylerLeonhardt]

👋 hi @scale-tone

Back in 1.80, we changed the implementation of the SecretStorage API:

https://code.visualstudio.com/updates/v1_80#_secretstorage-api-now-uses-electron-api-over-keytar

This included a migration (well more like copying) of secrets out of the credential manager, into a different location based on Chromium code. You won't see the new secrets in CredMan anymore.

I can't remember if we did this in 1.82 or in 1.83... I'd have to double check but we removed that migration.

I am surprised that you aren't able to see your secrets. Have you been keeping up-to-date with VS Code versions? If you jumped from 1.79 to 1.82 maybe you hit the scenario where the secrets weren't migrated yet.

You should be able to downgrade to 1.81 and see your secrets (which will use the old keytar way of retrieving them) ... at that point if you update to 1.82 it should all "just work".

[scale-tone]

Thanks for your prompt response, @TylerLeonhardt . As I understand it, the migration procedure was in place in v1.8 and v1.81, and looks like it was an ad-hoc procedure. Aka the secret is only moved when is being touched. So now, with v1.82 installed and the migration routine gone, those of my secrets that haven't been touched are now left behind.

Tried to download ZIPs and run the following previous versions:

• VSCode-win32-x64-1.81.1
• VSCode-win32-x64-1.80.1
• VSCode-win32-x64-1.79.1

With no luck. Cannot get values of even those secrets that are still visible in CredMan. With v1.79.1 I cannot access any of my secrets (which is, probably, expected, since that version does not know about electron API).

Anything else we can try?

[scale-tone]

Tried to get a secret with keytar directly. The following code:

const keytar = require('keytar');
keytar.getPassword('vscodekee-shepherd.kee-shepherd-vscode', 'rdp-pwd').then(res => {
    console.log(res);
});

produces something like:

{"content":"{\"type\":\"Buffer\",\"data\":[321,432, .... a bunch of comma-separated integers ..... 3,123","hasNextChunk":true}

Does that mean anything?

[TylerLeonhardt]

@scale-tone can you try installing 1.80.1 using the user setup instead? Just in case. You'll be able to update back to latest no problem.

[TylerLeonhardt]

The secrets in keytar are encrypted a 2nd time. You could try to decrypt it by requiring a package called vscode-encrypt which is inside 1.80... and run decrypt, but I'm not sure it'll work.

[scale-tone]

can you try installing 1.80.1 using the user setup instead? Just in case

OK, just tried. No luck again. Same symptoms - some secrets are undefined, some others are accessible.

Anything else to try?

[scale-tone]

@TylerLeonhardt , if you're saying those secrets were encrypted - then probably they were encrypted with some key, right? Which is probably now gone along with the migration procedure, correct? Do I understand this (bleak) situation correctly?

[TylerLeonhardt]

It's a shot in the dark, but here's the call to the old vscode-encrypt: https://github.com/microsoft/vscode/blob/2ccd690cbff1569e4a83d7c43d45101f817401dc/src/vs/platform/encryption/electron-main/encryptionMainService.ts#L108-L123

you only need the machine id... which you can get if you:

• run the Set Log Level command
• set it to trace using the icon on the right:
• restart VS Code
• Open the Main Output channel
• search for Resolved machine identifier

You can try requiring this module, passing in the machine id and the encrypted value.... and hope. Let me know how it goes.

[scale-tone]

Not able to reference that vscode-encrypt module: , probably, because it is a part of vscode and not available outside.

Also what happened after me switching between versions is that the keytar response now looks not as an array of integers, but more like a base64 string with newline symbols impregnated:

(obviously, I didn't change anything)

So it looks like there was a series of transformations, which were supposed to happen in correct order, but didn't (at least, in my case).

Still not able to get those secrets. Anything else to try or should we conclude that those are now unrecoverable?

[TylerLeonhardt]

Maybe grab the zip of 1.80 and unzip it... then go into resources/app/node_modules.asar.unpacked and it should be in there. Maybe try to require that folder or the .node file directly.

If this doesn't work, I'm not really sure what else to try, unfortunately. I will say, that this was a one-time issue... the keytar migration needed to move fast since we didn't want to depend on deprecated software.... especially for secrets. Sorry for all the trouble here. I hope you can at least understand why we moved in this direction.

[scale-tone]

To explain, I wasn't too much worried about my own secrets (I hope to be able to restore them one way or another), but rather was hoping to handcraft a workaround for my users (who might run into the same issue). Now it's plain to see that there is no way to do that.

I suggest we keep this ticket open for a while, in case it happens with anyone else... Anyway, thanks for your suggestions, @TylerLeonhardt .

[FiB3]

Hello! Seems the same thing is happening to me as well with my new extension. VSCode version 1.83 and 1.84.1 on Mac (Sonoma 14.0). Using plain context.secrets.get(name). On one of my laptops I can't even find the secrets in the keychain access anymore. The SecretStorage was working great before, but currently it made my extension very hard to use. Please, help :)

Regards, Filip

[TylerLeonhardt]

@FiB3 is context.secrets.get(name) not working for you? You won't see the secrets in keychain acess anymore. More details here: https://code.visualstudio.com/updates/v1_80#_secretstorage-api-now-uses-electron-api-over-keytar

[FiB3]

Hello! in my case it seems that it was enough to update everything and set the credentials again. Shame this was not done automatically nor that there is nothing returned from the function in case of an error. Regards, Filip

[vscodenpa]

Hey @TylerLeonhardt, this issue might need further attention.

@scale-tone, you can help us out by closing this issue if the problem no longer exists, or adding more information.

[TylerLeonhardt]

I think at this point, there's nothing we can do to revive those secrets that were stored the previous way. Since it's been a while from when we removed key tar, I'm going to close this out. Let me know if you have future issues with SecretStorage.