-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feat] Encrypt sensitive keys on disk #646
Comments
We do even worse. Not only we don't clear memory but also we store the lndhub credentials in the db unencrypted, I guess that should be our first concern. Related pitch can be found here |
Oi, that's not great you're right. Maybe we can have a quick chat about how to encrypt those. There's a very high quality secret management engine written in Rust (created by many of the Tauri team before Tauri) that we could use to store secrets and sleep at night 😄 |
Let's have a separate issue for encrypting secrets. Or do we have one? There're packages to interface with OS-level key managers, like MacOS keychain, and something-something for Windows :) I don't know much about Linux. Regarding the original topic, zeroing-out the memory from the private key after usage, I guess we could do that manually, we only really ever interact with two private keys. The one of Account, and the one of Device. The thing is that, we have to keep the device key in memory anyway, and it doesn't really get copied much, it's a pointer to the same buffer under the hood. I don't want to dismiss the idea (and I'm not), but at the current moment we're in, that would be the least of my concern, until we have many users, or until Go implements zeroing out the memory after GC. |
For the record, the key manager in linux is called pass |
I'm lowering the priority of this, unless we decide otherwise. |
I have renamed this issue to reflect the disk encryption feature for device keys and other sensitive keys that we keep Remember we do not store the most sensitive key, the account ID. Although there is still a risk about it staying in memory longer than needed, so #643 is still relevant |
As far as I can see currently all allocated private key buffers are not zeroized after being freed by the go GC, this is obviously a big problem especially for lighting private keys where actual money is attached to them.
It seems like go doesn't have support for this yet, but we should implement an interim solution anyway.
The text was updated successfully, but these errors were encountered: