Clients’ keys are world-readable

[alexanderbez]

Client keys are stored on the filesystem via LevelDB for multiple operations. These include use by validators, client wallets, and other functions. The keys themselves are stored within the .gaiacli​ directory of the user’s home directory by default.

However, the permissions on this directory and subdirectories is ​0755​ (RWX for user and RX for group/world), with file permissions of ​0644​ (RW for user and R for group/world).

While the contents of the LevelDB files are in plain text, they are protected via Bcrypt.

Proposal

Short Term (prior to or at launch):

At the very least, the file and directory permissions should be updated to 0700 (RWX for user only).

Long Term: (post launch):

Use an audited key/secret local vault.

/cc @cwgoes @zmanian

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[zmanian]

I'm a fan of https://github.com/99designs/keyring for key storage.

[cwgoes]

I'm a fan of https://github.com/99designs/keyring for key storage.

That looks compelling. Do you know if it's been subjected to third-party review (or has some major users)?

[alexanderbez]

I'm a fan of https://github.com/99designs/keyring for key storage.

Would we use the Filesystem backend? I doubt we want to leverage a local client/server model here, right?

[zmanian]

I'd suggest using the OSX keyring and Windows credential store and then falling back to encrypted file if neither are available

[alexanderbez]

Started playing with keyring in the SDK -- seems very straightforward. One thing that came to my attention is we'll now probably need some sort of gaiacli keys init command functionality which sets up a keyring with a passphrase. Subsequent usage will now prompt users for both a keyring passphrase (unless saved) and their key passphrase (bcrypt encrypted) -- not sure this is the best UX.

Or were we thinking of another flow?

[cwgoes]

I think we can ditch bcrypt if we're using a keyring which is already encrypted.

This seems like a large-magnitude change for prelaunch though, for now I suggest just the permissions fix.

[zmanian]

FYI Iqlusion/ @poldsam is working on adding keyring support for the client key storage

[alexanderbez]

Cool! You mean to Keybase @zmanian? Is there any code you can share? Will a PR be made?

[zmanian]

https://github.com/iqlusioninc/cosmos-sdk/tree/kristi/keyringKeybase

Here is the WIP branch. Yep there will be a PR

[alexanderbez]

Awesome. Look forward to reviewing the contribution.