Is key management secure?

From @githubber314159 on Sun Apr 16 2017 18:44:18 GMT+0000 (UTC)

Hello everyone! I am wondering whether we should make use of other programs which do only one job, but do this job very well. For example, GPG could be used to store the private keys. GPG is good at this (see gpg-agent etc) and we can offload the security implications to GPG.

Apart from the important security increase, there are disadvantages we need to discuss:

  1. A dependency in introduced. This is especially pressing since the aim is to let IPFS run in a browser. I propose to let the user decide: when the user set an empty password, no GPG gets used.

  2. It is inconvenient to enter a password to decrypt the private key. GPG has a solution for this, called gpg-agent. AFAIK, the private key is used in IPFS seldomly anyway, so this may not constitute a problem. I think users are willing to enter a passphrase if they only have to do it when they remap their ipns hash to a new ipfs hash. Again, the user may leave the password blank and GPG can store it in secmem etc, but no user interaction is requried.

What do you think?


Copied from original issue: https://github.com/ipfs/faq/issues/252

From @lidel on Sun Apr 16 2017 21:37:19 GMT+0000 (UTC)

AFAIK keys of IPFS node (used for IPNS publishing and node identity) are already managed by go-ipfs itself. Related discussion: https://discuss.ipfs.io/t/ipns-publishing-after-generating-a-key/

As for using other tools for data encryption, there is a related discussion at: https://discuss.ipfs.io/t/possibility-to-restrict-file-access-for-users-in-network/