[Security] Protect local data at rest — owner-only file permissions, DB integrity checks, secret-free logs #146
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
At-rest protection and integrity for local storage: owner-only file perms on the history DB and OTR keystores, SQLite integrity check at open, verify-before-persist for OMEMO media, and secret redaction in logs.
Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.
Subtasks & findings
T03 — Log secret redaction (plaintext bodies + creds out of logs)
Owner: Dev2 (DB) · Decision: M / C · Effort: ~0.5–1d · Investigate: investigate all log sinks (LOG-06)
Shared redaction helper across DB logger + stderr bridge.
database_sqlite.c:694,717,748,760; connection.c:1088-1107log.c:289,297T07 — At-rest file permissions (0600 on DB + OTR keystores)
Owner: Dev2 (DB) · Decision: C · Effort: ~0.5d
chmod after sqlite3_open / privkey / fingerprint writes.
database_sqlite.c:144; otr.c:113,372,386T08 — DB integrity + OMEMO media at-rest
Owner: Dev2 (DB) · Decision: M · Effort: ~1.5–2d · Investigate: investigate both (RES-02, CRY-06)
quick_check at open; verify GCM tag before persisting media.
database_sqlite.c _sqlite_init (128-157)omemo/crypto.c:445 (checktag :462); aesgcm_download.c:66,112-140Checklist
T03 — Log secret redaction (plaintext bodies + creds out of logs)
T07 — At-rest file permissions (0600 on DB + OTR keystores)
T08 — DB integrity + OMEMO media at-rest
Notes