On 01/07/2026 17:08, Michael Catanzaro via devel wrote:
(Keep in mind such functionality can only possibly work for sandboxed applications. There's of course no way to stop an unsandboxed application from reading whatever it wants.)
Sure. All current wallets and password managers have the same issue. The only way to prevent unsandboxed applications from accessing encrypted password manager databases is to store them on a separate hardware token or TPM chip, which is not possible today because the number of slots on such devices is very limited.
Storing the primary encryption key on a hardware token is better, but the unsandboxed application will still be able to read the wallet's memory, extract the KEK from there, and then decrypt the database.
-- Sincerely, Vitaly Zaitsev ([email protected]) -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
