Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce keychain-defined protection logic on items stored in keychain #269

Open
keepassium opened this issue Dec 22, 2022 · 0 comments
Open

Enforce keychain-defined protection logic on items stored in keychain #269

keepassium opened this issue Dec 22, 2022 · 0 comments
Assignees
@keepassium
Labels
enhancement New feature or request

Comments

@keepassium
Copy link
Owner

Currently, sensitive data in the keychain is protected by three factors:

  • App logic — once KeePassium is unlocked, it can read/write/delete keychain items without additional restrictions.
  • kSecAttrAccessibleWhenUnlockedThisDeviceOnly attribute
  • Additional encryption by a device-bound key stored in the Secure Enclave

It would be useful to compliment the app logic with keychain-based verification, where the system itself would verify user-defined access conditions.

For example, the user could configure the app to require a biometric scan (or PIN code) to open the database. Instead of doing the check in the code, the app should set the corresponding attribute on the keychain item. This way, access control would be enforced by the system rather than the app.

This would be a prerequisite for #42 and #169.

[thanks, Konstantin and Andy]
@keepassium keepassium added the enhancement New feature or request label Dec 22, 2022
@keepassium keepassium self-assigned this Dec 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@keepassium keepassium

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@keepassium