Saltar al contenido principal

safeStorage

Permite el acceso a un cifrado y descifrado simple de cadenas para el almacenamiento en la máquina local.

Process: Main

This module adds extra protection to data being stored on disk by using OS-provided cryptography systems. Current security semantics for each platform are outlined below.

  • macOS: Encryption keys are stored for your app in Keychain Access in a way that prevents other applications from loading them without user override. Therefore, content is protected from other users and other apps running in the same userspace.
  • Windows: Encryption keys are generated via DPAPI. As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the same userspace.
  • Linux: Encryption keys are generated and stored in a secret store that varies depending on your window manager and system setup. Options currently supported are kwallet, kwallet5, kwallet6 and gnome-libsecret, but more may be available in future versions of Electron. As such, the security semantics of content protected via the safeStorage API vary between window managers and secret stores.
    • Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the safeStorage API will be unprotected as they are encrypted via hardcoded plaintext password. You can detect when this happens when safeStorage.getSelectedStorageBackend() returns basic_text.

Tenga en cuenta que en Mac, se requiere acceso al Keychain del sistema y estas llamadas pueden bloquear el hilo actual para capturar acciones del usuario. Los mismo es válido para Linux, si una herramienta de gestión de contraseñas está disponible.

Métodos

El módulo safeStorage tiene los siguientes métodos:

safeStorage.isEncryptionAvailable()

Devuelve boolean - Si el cifrado está disponible.

En Linux, devuelve verdadero si la aplicación ha emitido el evento ready y la clave secreta está disponible. En MacOS, devuelve true si Keychain está disponible. En Windows, devuelve "verdadero" una vez que la app ha generado el evento ready.

safeStorage.encryptString(plainText)

  • plainText string

Devuelve Buffer - Un array de bytes que representa la cadena cifrada.

Esta función lanzará un error si falla el cifrado.

safeStorage.decryptString(encrypted)

  • encrypted Buffer

Devuelve string - La cadena descifrada. Descifra el buffer cifrado obtenido con safeStorage.encryptString de nuevo a una cadena.

Esta función lanzará un error si falla el cifrado.

safeStorage.setUsePlainTextEncryption(usePlainText)

  • usePlainText boolean

This function on Linux will force the module to use an in memory password for creating symmetric key that is used for encrypt/decrypt functions when a valid OS password manager cannot be determined for the current active desktop environment. This function is a no-op on Windows and MacOS.

safeStorage.getSelectedStorageBackend() Linux

Returns string - User friendly name of the password manager selected on Linux.

This function will return one of the following values:

  • basic_text - When the desktop environment is not recognised or if the following command line flag is provided --password-store="basic".
  • gnome_libsecret - When the desktop environment is X-Cinnamon, Deepin, GNOME, Pantheon, XFCE, UKUI, unity or if the following command line flag is provided --password-store="gnome-libsecret".
  • kwallet - When the desktop session is kde4 or if the following command line flag is provided --password-store="kwallet".
  • kwallet5 - When the desktop session is kde5 or if the following command line flag is provided --password-store="kwallet5".
  • kwallet6 - When the desktop session is kde6.
  • unknown - When the function is called before app has emitted the ready event.