Requesting code reviews from security engineers

[mvdan]

I'm not an expert at security by any means. I know enough to get this working, but I'd like some reviews and feedback before people start using this for their own passwords.

Current TODOs:

• The password and decryption key are stored in memory for the lifetime of the process. Should we use https://github.com/awnumar/memguard?
• The D-Bus service only implements the plaintext session encryption algorithm. Should we implement dh-ietf1024-sha256-aes128-cbc-pkcs7 and discourage the use of plain?
• The encrypted sync data is stored on disk as-is. I assume this is fine because bitwarden-cli does the same, but I'm not 100% sure.

[Mic92]

At minimum bitw should use mlock(2) to prevent the password from being swapped.

[mvdan]

Yes, that's what libraries like memguard above do.

[mvdan]

D-Bus encryption to not use "plain" was implemented in https://github.com/mvdan/bitw/issues/17.