Encrypt keys on disk with a passphrase #7271
Labels
Comments
|
hm, this is a very good point, and is quite related to the work we're doing right now on #3661. |
|
this is almost the same as #8938 |
|
We're now encrypting olm, megolm, cross-signing, and backup keys using a key stored in the operating system's password storage. We don't yet encrypt the access token, and we currently only do this for new logins. We will work on migrating existing logins later. |
|
This happened |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
It should be possible to encrypt the keys (and the authentication token) on the disk and decrypt it only when starting riot by asking for a pass phrase.
We are deploying Matrix/Riot in an organization network where users have network home directories. For me as root, copying the $HOME/.config/Riot directory of a user allows me to start riot and read all encrypted conversation the user was involved in.
To have the option to protect the keys (and from my point of view the access token) with a pass phrase like in GPG or SSH would be more than a useful option. It can then be cached unencrypted until riot is stopped).
I guess the code for exporting/importing the keys could be used for this task ?
So long this is not the case, I can only advice my users to limit private encrypted chats only from their own devices, and not share the keys with the session on the computer of the organization which sounds kind of silly :).
The text was updated successfully, but these errors were encountered: