Arch Linux

grijul

Member

Registered: 2020-07-02

Posts: 3

How to manage decryption of encrypted file(s) for application's use?

Hello everyone,

I am working on an OTP-client application (with andOTP encrypted files support). Since the secrets file is encrypted and has to be decrypted for use, what is the suggested way to handle decrypted content?
Some of the ways I can think of are:

- Writing decrypted content to a temp file (in /tmp probably?). This file can then be used by application moving forward ..
- Instead of storing decrypted content in file, decrypt encrypted file every n seconds (whenever new OTP is to be generated) and pass that content to app for further processing.

The library for generating OTP and encrypting/decrypting files is written in C. And I intend to use C++/Qt for writing UI interface which will consume this library.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,471

Re: How to manage decryption of encrypted file(s) for application's use?

Usually the way it works is that file on disk is encrypted and stays encrypted, and decrypted data only lives in RAM. Why would there be a need to write a decrypted file anywhere?

schard

Forum Moderator

From: Hannover

Registered: 2016-05-06

Posts: 2,111

Website

Re: How to manage decryption of encrypted file(s) for application's use?

On Arch Linux /tmp is mounted as tmpfs. So anything stored there only lives in RAM or SWAP.
However, since storing the secret in a file on a file system might be prone to security issues if e.g. the file permissions are too open or /tmp is not a tmpfs on the respective system.
When handling passwords, they should not be stored at all. Instead I store a secure hash of them using Argon2.
If you handle one-time passwords, after generating them within RAM, you can store their hashes in a database or file and then forget about them.
See also: https://www.youtube.com/watch?v=8ZtInClXe1Q

---

Inofficial first vice president of the Rust Evangelism Strike Force

grijul

Member

Registered: 2020-07-02

Posts: 3

Re: How to manage decryption of encrypted file(s) for application's use?

Why would there be a need to write a decrypted file anywhere?

There is no need actually. Just had a doubt how (ideally) it should be done. So I guess its better to decrypt file on-demand (say every 30-secs whenever new OTP is to be generated).

grijul

Member

Registered: 2020-07-02

Posts: 3

Re: How to manage decryption of encrypted file(s) for application's use?

When handling passwords, they should not be stored at all. Instead I store a secure hash of them using Argon2.

Well for storing passwords I was thinking of using some kind of auth-managers (something like kwallet/kauth. Since I use KDE) (For auto-login on boot) .. But they are too DE-specific solutions. Are there any better alternatives (not distro/DE specific)?
Storing hash is the way to go when authenticating .. I am looking for a way to login on boot (which will require storing password as well I guess. Much like the way wifi passwords are stored).

If you handle one-time passwords, after generating them within RAM, you can store their hashes in a database or file and then forget about them.

Okay I guess I am missing something here .. What's the use of storing password hash in file/db at all? They will expire after 30 secs .. Till then they can live in RAM (I guess). Am I missing something?

See also: https://www.youtube.com/watch?v=8ZtInClXe1Q

Thanks for the video link! I'll definitely watch it!