Add a method to OSKeyStore.sys.mjs / OSKeyStore.cpp that allows exporting the store secret
Categories
(Core :: Security: PSM, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox128 | --- | fixed |
People
(Reporter: mconley, Assigned: mconley)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [fidefe-device-migration])
Attachments
(1 file)
As part of bug 1885369 (and the broader project of making it possible to create local file archives of the user profile that are device-portable), we've reached the point where we're thinking about items in the user profile that are encrypted using OSKeyStore (currently, that's payment methods, but it seems possible that there could be more in the future).
Before anybody gets too worried reading this, it is understood that sensitive information like cookies, payment methods, logins, certificates, etc, need to be encrypted within the local backup archive. The way this will be done is still being defined, but suffice it to say that in order to back up these things, the user will need to supply a strong passphrase which we can derive some encryption keys from.
We want to be able to create these backups in the background without user intervention. This means not requiring the user to reauthenticate OSKeyStore to access the store secret in order to decrypt anything. Instead, we propose storing the data in the backup in its encrypted form.
That only works, however, if the user restores their backup on the same system with the same user account (since, in the best case scenario, the OSKeyStore secret would not have changed). Otherwise, the information encrypted via OSKeyStore will be inaccessible.
So what we'd like to propose then is to make it possible to export the secret held by the OS - the secret used to encrypt information for OSKeyStore - and store that alongside the data in the backup.
We propose exposing a method on OSKeyStore that takes some kind of key as a parameter so that the returned secret is wrapped, and can be stored somewhere in the user profile directory. We expect this will require a reauthentication, but this is acceptable when the user opts in to creating backups of this sensitive information.
Then, when backups occur in the background, the wrapped key will be written into the archive before the archive is encrypted.
Upon restoration, and upon the user providing the right information to generate the decryption key, our aim is to make it possible to create an in-memory version of OSKeyStore with the decrypted secret that lets us quickly decrypt anything in the backup that was encrypted with OSKeyStore, and then re-encrypt them using the "real" OSKeyStore for the profile, OS user account and device that the backup is being restored on.
I've spoken more generally about this idea with beurdouche, Serg and sjf - but I'm filing this so that we can put it in the work queue if it turns out this kind of thing would be accepted by Core :: Security: PSM.
|
Assignee | |
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
|
Assignee | |
Comment 1•3 months ago
|
||
|
|
Assignee | |
Updated•2 months ago
|
|
||
Updated•2 months ago
|
|
|
Assignee | |
Updated•2 months ago
|
|
||
Updated•1 month ago
|
|
|
Assignee | |
Comment 2•1 month ago
|
||
Speaking to djackson and jschanck, the suggestion was to just export the recovery code, and have consumers be responsible for wrapping it.
|
|
||
Updated•1 month ago
|
Pushed by mconley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c6e45e0d0c2d Add a method to OSKeyStore.sys.mjs to allow exporting the store secret. r=jschanck
|
||
Comment 4•1 month ago
|
||
| bugherder | ||
Description
•