Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private keys should be encrypted #826

Open
BrendanBenshoof opened this issue Feb 25, 2015 · 14 comments
Open

Private keys should be encrypted #826

BrendanBenshoof opened this issue Feb 25, 2015 · 14 comments
Labels
topic/encryption Topic encryption topic/icebox Topic icebox topic/repo Topic repo

Comments

@BrendanBenshoof
Copy link

You could encrypt the entire config file, but by default ipfs should password protect the private key (setup during init process) and not store the private key in the clear on disk (or ideally in memory that could be leaked, but that is a lot harder).

@whyrusleeping
Copy link
Member

We are going to move the key out of the config file and encrypt it at some point.

@whyrusleeping
Copy link
Member

related #783

@whyrusleeping
Copy link
Member

This should be addressed once the keystore is implemented

@Kubuxu
Copy link
Member

Kubuxu commented Aug 24, 2016

My proposal for multikey was embedding key protection schema in to the multikey itself, I don't know if we want to go with it, but it would be nice thing to have.

@jbenet
Copy link
Member

jbenet commented Aug 26, 2016

@Kubuxu can you explain more?
On Wed, Aug 24, 2016 at 07:48 Jakub Sztandera [email protected]
wrote:

My proposal for multikey was embedding key protection schema in to the
multikey itself, I don't know if we want to go with it, but it would be
nice thing to have.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#826 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAIcofbJAvaf0rNCNfwDr2fnt3rElrimks5qjC-YgaJpZM4Dl4DP
.

@Kubuxu
Copy link
Member

Kubuxu commented Aug 26, 2016

ipfs/specs#58
In short terms: first varint describes key protection schema which has to be applied to decrypt the key.

@eingenito eingenito added topic/blockervice Topic blockervice topic/icebox Topic icebox and removed topic/blockervice Topic blockervice labels May 16, 2019
@AuHau
Copy link
Member

AuHau commented May 28, 2019

While on my work on the #5947, which I am now porting to js-ipfs I saw that js-ipfs uses https://github.com/libp2p/js-libp2p-keychain

Is this desired way how to approach this? To my understanding, it does not use multikey/linked-data key, but it implements encrypted keys handling.

@AuHau
Copy link
Member

AuHau commented May 28, 2019

Hmmm it seems like they follow this spec: https://github.com/ipfs/specs/tree/master/keystore

@Stebalien
Copy link
Member

Eventually, yes. I have a PR that I never really finished to add pluggable keystore support to enable use-cases like this: #6069.

However, go-ipfs doesn't currently have a way to prompt the user for a passphrase.

@AuHau
Copy link
Member

AuHau commented May 28, 2019

Hmm. From what I see js-ipfs does not really prompt for a passphrase either, they require (for operations that uses keystore) to pass it using parameter --pass.

What do you think is currently the right way to approach this? Or should this be postponed for now?

@Stebalien
Copy link
Member

What do you think is currently the right way to approach this?

I'd rather not go that route. Any password passed with --pass will:

  1. Get logged to some shell history somewhere.
  2. Appear in ps -eF.

That just shuffles the problem around a bit.

@Kubuxu
Copy link
Member

Kubuxu commented May 30, 2019

Same as with ssh, the password should be passed with stdin.

ssh-add goes even further and prohibits non-interactive input of a password.
The only way to automatically input password to ssh is using expect

@AuHau
Copy link
Member

AuHau commented May 30, 2019

Yeah, I figured that this might be a problem and I have guessed right that similar approach to ssh should be the way.

Only I am a bit worried about the UX implications of this. As for every invocation of a command that needs keystore access, there would have to be this prompt (eq. reentering passphrase all the time). What sort of commands require keystore access?
daemon, key *, name *?

What about ssh-agent approach? Since there is already a background process ( daemon), this could be used to spawn another process that would behave as ssh-agent (eq. expose socket that all keystore dependant commands would use for key manipulations). The only problem is that it would complicate things quite a bit since to not compromise on security, the keys would have to stay in the agent process and hence all the actions with keys would have to be proxied through it.

@kimborgen
Copy link

Any updates on this problem?

Don't know if it is relevant, but maybe for inspiration, you can also have a look at how ethsigner solves this problem: https://consensys.net/docs/ethsigner/en/latest/Concepts/Overview/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic/encryption Topic encryption topic/icebox Topic icebox topic/repo Topic repo
Projects
None yet
Development

No branches or pull requests

9 participants