is somewhere explained how the security of this app is handeled? i’m looking for answers at: are the passwords stored encrypted, when will they be decrypted and how ?
The app allows the use of client side encryption and server side encryption.
By default, the app encrypts and decrypts passwords on the server and sends them unencrypted to the client. (so only server side encryption)
If you use a nightly version of the app, you can also use the client side encryption with libsodium in the browser, but it is not enabled by default since browser plugins and other apps still need to be adapted to it (https://github.com/marius-wieschollek/passwords/issues/80)
Good afternoon! I wanted to ask, considering the Passwords app description states that it uses Nextcloud’s integrated encryption functionality as stated:
Passwords offers a safe server side encryption using Nextclouds integrated encryption functionality. Each password is encrypted with it’s own unique key.
Are passwords safe regarding server side encryption if the “Server-side encryption” is not enabled in the security settings of Nextcloud.
I wanted to make sure I understood the security implications of this and if this option affects it or not. Probably a dumb question but I just wanted to make sure.
Thanks for helping me understand this!
The Server-side encryption option is only for files.
The app itself uses the encryption code that is provided by Nextcloud for apps. The encryption is always active regardless of any settings in the admin ui. You can see the encryption used for each password in the details of that password in the app.
The text in the readme is there to highlight that the app do not implement its own encryption. (Because implementing your own encryption is usually a bad idea)
is there something new about client side encryption for the password app ?
Yes, the progress is documented in the github issue that is the selected answer