安全存储
允许访问简单的加密和解密字符串,以便存储在本地机器上。
Process: Main
This module adds extra protection to data being stored on disk by using OS-provided cryptography systems. Current security semantics for each platform are outlined below.
- macOS: Encryption keys are stored for your app in Keychain Access in a way that prevents other applications from loading them without user override. Therefore, content is protected from other users and other apps running in the same userspace.
- Windows: Encryption keys are generated via DPAPI. As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the same userspace.
- Linux: Encryption keys are generated and stored in a secret store that varies depending on your window manager and system setup. Options currently supported are
kwallet
,kwallet5
,kwallet6
andgnome-libsecret
, but more may be available in future versions of Electron. As such, the security semantics of content protected via thesafeStorage
API vary between window managers and secret stores.- Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the
safeStorage
API will be unprotected as they are encrypted via hardcoded plaintext password. You can detect when this happens whensafeStorage.getSelectedStorageBackend()
returnsbasic_text
.
- Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the
请注意,在Mac上,需要访问系统Keychain,这些调用可以阻止当前线程来收集用户输入。 如果密码管理工具可用,Linux 亦是如此。
方法
safeStorage
模块包含以下方法:
safeStorage.isEncryptionAvailable()
返回 boolean
- 加密是否可用
在 Linux 上,如果应用已触发 ready
事件且密钥可用,则返回 true。 在 MacOS 上,如果 Keychain 可用,返回 true。 在 Windows 上,返回 true,应用发出 ready
事件后。
safeStorage.encryptString(plainText)
plainText
string
返回 Buffer
- 一个代表加密字符串的字节数组。
如果加密失败,此函数将抛出错误。
safeStorage.decryptString(encrypted)
encrypted
Buffer
返回 string
- 解密的字符串。 将使用 safeStorage.encryptString
获得的加密字节数组解密为一个字符串。
解密失败时此函数将抛出错误。
safeStorage.setUsePlainTextEncryption(usePlainText)
usePlainText
boolean
This function on Linux will force the module to use an in memory password for creating symmetric key that is used for encrypt/decrypt functions when a valid OS password manager cannot be determined for the current active desktop environment. This function is a no-op on Windows and MacOS.
safeStorage.getSelectedStorageBackend()
Linux
Returns string
- User friendly name of the password manager selected on Linux.
This function will return one of the following values:
basic_text
- When the desktop environment is not recognised or if the following command line flag is provided--password-store="basic"
.gnome_libsecret
- When the desktop environment isX-Cinnamon
,Deepin
,GNOME
,Pantheon
,XFCE
,UKUI
,unity
or if the following command line flag is provided--password-store="gnome-libsecret"
.kwallet
- When the desktop session iskde4
or if the following command line flag is provided--password-store="kwallet"
.kwallet5
- When the desktop session iskde5
or if the following command line flag is provided--password-store="kwallet5"
.kwallet6
- When the desktop session iskde6
.unknown
- When the function is called before app has emitted theready
event.