Here's an update on our recent efforts:

1) RainCT and I have been packaging sqlcipher -- I don't think it should take 
us much longer to finish (RainCT can probably give a better estimate);
2) I have confirmed (via LD_PRELOAD) that sqlcipher somewhat works with the 
existing pysqlite bindings, we will need to focus on a non-hacky solution after 
we have finished the packaging;
3) It is trivial to support keyring integration (this can be done by using the 
external keyring module, which provides cross-platform support for 
GnomeKeyring, KDEKWallet, OSXKeychain, and Win32CryptoKeyring);
4) I have already written the code that integrates sqlcipher with Zeitgeist, 
it's just a matter of testing once packaging is complete.

Regarding the generation of a raw key, I'm currently using the following


Perhaps Jacob could comment on the viability of this method?

You received this bug notification because you are a member of Zeitgeist
Framework Team, which is subscribed to Zeitgeist Framework.

  Encryption of database

Status in Zeitgeist Framework:

Bug description:
  I think that Zeitgeist should encrypt databases in
  ~/.local/share/zeitgeist/* for anti-forensics reasons.

  While someone may happen to use an encrypted disk, Zeitgeist may serve
  as the ultimate accidental spyware to an unsuspecting user. One
  possible mitigation is to randomly generate a reasonable key, tie it
  into the login keychain and then use that key with something like rather than straight sqlite.

  In theory, a user will never know that this encryption/decryption is
  happening - no underlying assumptions about the disk need to be made
  to maintain any security guarantees. This should prevent anyone from
  learning the contents of the database without also learning the login
  password. Modern Ubuntu machines disallow non-root ptracing ( )
  and if the gnome keyring is locked, an attacker would have a much
  harder time grabbing meaningful Zeitgeist data without interacting
  with the user or bruteforcing the login keychain.

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to