Skip to content

Commit

Permalink
Add details about our security model
Browse files Browse the repository at this point in the history
  • Loading branch information
Mikescops committed Apr 8, 2024
1 parent a0c8156 commit 24764c9
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 4 deletions.
1 change: 1 addition & 0 deletions documentation/pages/_meta.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
"type": "separator"
},
"troubleshooting": "Troubleshooting",
"security": "Security",
"help_center": {
"title": "Dashlane Help Center ↗",
"href": "https://support.dashlane.com/",
Expand Down
12 changes: 11 additions & 1 deletion documentation/pages/personal/authentication.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import { Callout } from 'nextra/components';

# Authentication
# Authentication (Login)

To start with launch a first manual sync:

Expand Down Expand Up @@ -39,6 +39,16 @@ The CLI will open a new **incognito** tab to authenticate you to your SSO provid

By completing the device registration process, you'll be now asked to enter your Master Password.

## Lock the CLI

You can lock the CLI at any time by running:

```sh copy
dcli lock
```

This will require you to enter your Master Password again to unlock the CLI.

## Options

### Save Master Password
Expand Down
19 changes: 16 additions & 3 deletions src/modules/crypto/README.md → documentation/pages/security.mdx
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
# How private data is stored
# Security

## Goals
Here are some details about how the security is managed in the application. To read more about our security model, please
refer to the [security whitepaper](https://www.dashlane.com/download/whitepaper-en.pdf).

## How private data is stored by CLI

### Goals

- Data is stored encrypted on disk.
- Store the master password, so it is possible to decrypt the transactions whatever derivation method is used.
- Store the device secret key, so it is possible to synchronize the transactions.
- Don't store the above secrets unencrypted, so if the computer/disk is stolen it is impossible to retrieve them.
Expand All @@ -10,7 +16,7 @@
- The two above cases are the same because, if the master password is required to get access to the local key, it is
useless to store the master password encrypted by the local key.

## Solution used
### Solution used

- The OS password management system (Keychain for macOS, Credential Vault for Windows and libsecret for Linux) is used
to store the randomly generated _local key_. It is then the responsibility of the OS keychain to encrypt
Expand All @@ -23,3 +29,10 @@
- To encrypt the local key using the master password a derivate has to be generated. However, at this point no
derivation settings are known, so it is hard-coded via a fake transaction generated by
`getDerivationParametersForLocalKey` in [keychainManager.ts](keychainManager.ts).

### Other considerations

- You can disable the use of the OS keychain by using the command `dcli configure save-master-password false`. In this case,
you will be asked for the master password every time you start the application.
- You can enable biometrics unlock by using the command `dcli configure user-presence --method biometric`. In this case, you will be
asked for a user presence check (e.g. fingerprint) every time you start the application before the OS password management system is requested.

0 comments on commit 24764c9

Please sign in to comment.