mirror of
https://github.com/floccusaddon/floccus.git
synced 2026-04-26 06:35:59 +03:00
[GH-ISSUE #224] encrypt data file when using webdav #215
Labels
No labels
browser-specific
bug
correctness issues
enhancement
feature: Google Drive
feature: Linkwarden
feature: git
feature: nextcloud-bookmarks
feature: tabs
feature: webdav
help wanted
native-app
priority: high
priority: low
priority: medium
pull-request
question
question
stale
upstream
waiting for more information
wontfix
🙁 Not following issue template
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/floccus#215
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @GoogleBeEvil on GitHub (Jan 30, 2019).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/224
i use self webdav to sync bookmarks, so is the datafile stroed on selfdav encrypted so that nobody will get my boomarks in case webdav server hacked?
i known keepass2 encrypte *kdbx(a db file i think) locally and then sync with webdav,is floccus has similar feature?
@marcelklehr commented on GitHub (Jan 30, 2019):
No, the assumption is that your webdav server is secure.
@GoogleBeEvil commented on GitHub (Jan 30, 2019):
OK,any plan to add this feature?
@marcelklehr commented on GitHub (Jan 30, 2019):
Not currently. If there is a sufficient demand, then maybe. I can't promise anything, though.
@Magissia commented on GitHub (Apr 16, 2019):
Would be nice to have.
@TCB13 commented on GitHub (Apr 27, 2019):
@GoogleBeEvil maybe this will be intersting for your https://github.com/TCB13/LoFloccus . You can the encrypt your file with another solution and sync it with any cloud.
@GoogleBeEvil commented on GitHub (Apr 28, 2019):
@TCB13 nice app ,but i'm on linux,it's better to ask keepass group merge your function to theirs ,i think.for keepass can be lanched on linux via mono
@TCB13 commented on GitHub (Apr 28, 2019):
@GoogleBeEvil you should be able to compile it and run under linux. It's written in Go and Qt5.
@ghost commented on GitHub (Oct 25, 2019):
Very sufficient demand. Selfhosting the sync server is not convenience.Using a public cloud storage service with the webdav support to sync is more reliable, therefore the end-to-end ENCRYPTION is necessary.
@TCB13 commented on GitHub (Oct 25, 2019):
@hineH you can do that with Cryptomator and Dropbox / other desktop cloud sync service. Cryptomator is a program capable of encrypting files. The way it works is by mounting a webdav share in your machine, and then it encrypts whatever you drop in there and stores it somewhere.
You store the Cryptomator volume inside dropbox and then mount it and can point floccus to the webdav share.
@marlluslustosa commented on GitHub (Nov 29, 2019):
Thus, as TCB13 said, you can use cryptomator to synchronize an encrypted volume in public clouds (dropbox, drive, etc.). Other similar solutions are: SiriKali and Zulu-Crypt which create VeraCrypt, LUKS, cryfs, gocryptfs, etc. volumes. These can also be stored in any public cloud, similar to Keepass .kdbx.
The solution I use is: Floccus client with local webdav server synchronizing to my private cloud syncthing (node to node).
By the way, I launched yesterday a webdav server for floccus on GNU/Linux.
https://github.com/marlluslustosa/Floccus-WebDavDocker
@marcelklehr commented on GitHub (Nov 29, 2019):
@marlluslustosa Feel free to send a PR my way to link to your repo :)
@marcelklehr commented on GitHub (Nov 29, 2019):
While there are solutions to work around this, I'm not closing this issue, as it seems like a valid concern that not everyone has access to a secure webdav server, so can be argued it's within the scope of this tool to secure your data.
@ghost commented on GitHub (Nov 30, 2019):
@TCB13 @marlluslustosa Thanks for your recommendation, I tried cryptomator that host an encrypted webdav server on my PC. wherever the data is stored, these way need a server program to do the encryption, I still need to host my own webdav service on localhost or private server.
However, If the encyption is implemented on the client (this project), directly enter the server address and account that some internet storage service provided. In this way, we can get both privacy and convenience, even the provider is not trusted or unsecure.
@marlluslustosa commented on GitHub (Nov 30, 2019):
The step-by-step operation would look something like this:
1 - Floccus tries to access encrypted xbel repository;
2 - If it exists, it will load it internally after download and try to decrypt it;
3 - If it does not exist you will create it internally and encrypt it before writing to the webdav server;
Encryption solutions could be GPG (I don't think it would perform), Cryfs, gocryptfs (proved to be very efficient in application testing)
From this, we can assume that encryption/decryption will always take place at run time only in Floccus, as it does in KeepassXC (between the desktop application and the plugin browser).
@da2x commented on GitHub (Dec 2, 2020):
Floccus already has an AES-encryption library used to protect credentials in
browser.storage.local. This encryption mechanism can be reused to provide end-to-end encryption for the XBEL files stored on WebDAV servers.I suggest letting the file extension of the sync-target determine whether to use end-to-end encryption (E2EE). A file extension of
.xbel.aeswould require encrypting it prior to upload and decryption after download. It should fail and log if no or the wrong pass phrase is provided. No UI change except adding one string to ui/views/SetKey.vue mentioning that the password will be used for E2EE when syncing to the correct file extension (e.g. “Set your bookmarks file path to ‘.xbel.aes’ to enable end-to-end encryption. You’ll need to use the same password on all clients.”)Unsolved challenges: how to handle password changes? and forgotten or wrong passwords?
@TCB13 commented on GitHub (Dec 3, 2020):
I like this idea. LoFloccus could also easily be updated to support this scheme.
Honest opinion? Password changes would require the entire file to be re-encrypted. Forgotten passwords well that's not a issue for Floccus to solve. Any password reset scheme will probably end up in security issues.
But if you really want a suggestion on how to deal with forgotten passwords... we could add another file that is actual password (random string) , encrypt it with the user provided password and store it. Then we can encrypt the bookmarks with that random string and also save them. Whenever we want to decrypt we just need to decrypt the password file with the user password and use the contained string to decrypt the bookmarks. This would allow easier password changes (you just have to re-encrypt the random string) AND potentially password recovery using already configured devices.
@marcelklehr commented on GitHub (Mar 10, 2021):
This has landed in v4.6.0 🎉
Thanks for your input and your patience everyone :)
@TCB13 commented on GitHub (Mar 10, 2021):
@marcelklehr did you change anything in the file extension? Do I need to update LoFloccus to support anything else or is it transparent?
@marcelklehr commented on GitHub (Mar 10, 2021):
WebDAV implementations don't have to change anything. When setting a passphrase in the floccus options, the xbel file will be encrypted. Currently, the file has to be deleted first, for floccus to create the encrypted file, but with the next release floccus will encrypt the file on the fly, once a passphrase is set.
@TCB13 commented on GitHub (Mar 10, 2021):
Ok, great! Thank you for the clarification.
@marlluslustosa commented on GitHub (Mar 11, 2021):
Great!
@github-actions[bot] commented on GitHub (Mar 20, 2023):
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.