How to store private key or secure information / data with Electron

Asked 25/3, 2016 at 14:46 Answered 10/7, 2021 at 19:37

Solved security encryption sandbox electron data-security

I am developing standalone app for cross platform using electron.

I want store private data like private key, private data for some execution in app. Execution like encrypt / decrypt data.

I want store some secured information like user password, proprietary data on app

Are any possible way to store these kind of secure information and app user unable to get any way?

Coaptation answered 25/3, 2016 at 14:46 Comment(0)

There is an NPM module made for Atom editor (the app Electron was made for) called Keytar. It uses the native OS APIs for secure storage. eg. The keychain on OS X.

https://github.com/atom/node-keytar

Kast answered 25/3, 2016 at 20:51 Comment(1)

keytar might not be a good solution for this. The data may be encrypted, but is accessible by any other userland process: github.com/atom/node-keytar/issues/88 – Demirep 28/3, 2018 at 18:43

I don't know the specific technology that you are using, so my answer will point in general to the key storage issue.

First, two big remarks:

Even with some heavy specialized hardware (banks and other critical systems use Hardware Security Modules -HSMs- for this), there is always a risk of getting your key stolen. What you choose to do depends on how important is your key and how much are you willing to do to protect it. I will try to avoid to mention solutions involving hardware, because they are usually overkill for most people.
There are, however, good practices that you can follow: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Now, some advise. Whatever you do, don't store your key in plaintext (and much less hardcoded). If you are using public key cryptography, PKCS12 files (usually with extension .p12 or .pfx) are the standard way to store the data. They are usually password protected.

Here you face a problem: if you have a key, you need to use it. If you use the key, it will be in "plaintext", at least in RAM. So, you need a way to enable the access that keeps the key as isolated as possible. If the actions are triggered by a user, things are relatively nice, because you could ask for the password before using the key.

If the actions are automated, however, you need to find a way to store the password. Even security software like some PGP implementations have approaches for this that aren't nice:

Ask for the password in command line: command -password my-password. This, put in a bat, works. But the password is stored and, depending of the operating system, even available with the command history.
Store it in a file: at least you don't leave copies around, but the password is still in plaintext.
Encrypt it using system data as encryption key: the password is relatively protected, but you lose portability and an attacker with access to the computer won't be stopped by the control.
Ask for the password once one the service is on: a bit more reasonable, but not always possible (if the service is critical but just one person has the password, availability might be compromised).
Fancy things could be done with threshold decryption, but that's probably too much for that case also.

I do not provide details on each option because what you can do probably depends on what your framework allows and the way in which your system is used, but I hope it helps as a reference of the different options. In any case, do not implement any cryptographic functionality on your own. Bad crypto is worse than no crypto at all.

Stereotype answered 25/3, 2016 at 15:20 Comment(0)

Avoid storing private or server-side details like a private key in an electron app. Electron app's data and file can be accessed from the app.asar file and electron do not protect the content at all. There is no such mechanism of code protection in electron. However NW.js supports source code protection, You can read it here. So according to me, it's not safe to store private accreditations like signing a certificate or private key in electron source code.

As another way, you can store these data using node-keytar in the keychain for mac, the credential manager in windows and Gnom Keyring in Linux using native api. But still, these credentials are accessible to the user and does not make sense to storing private tokens (i.e. Token for GitHub private repository having administrative rights). It depends upon the user, If he/she is sophisticated enough to understand what did you stored in Keychain, Credential Manager or Keyring, they can misuse it or can use against you. So the final answer is,

Do not store Credentials/Private key or Administrative Tokens in electron source or using node-keytar.

Krissy answered 25/9, 2019 at 17:6 Comment(0)

the perfect way of storing data in electron is this package: https://www.npmjs.com/package/electron-data-holder

this package stores data in a JSON file but it gives you the ability to encrypt the data.

Recommended topics

Hot tags