Thoughts on KDE Vaults?

gamma7

Is KDE Vaults good for security? I currently use secureblue (KDE Plasma) and I want to compartmentalise my files for different hobbies into local and encrypted vaults so that they're accessible only when needed. I wish to protect my files against passive attacks (e.g. malware). I'm not specifically targeted, so targeted attacks are outside of my threat model.

I've looked into GNOME Vaults, as it's curated by secureblue. It's written in memory safe language unlike KDE Vaults (correct me if I'm wrong) and seems to have a good encryption algorithm, but whenever I try to create vault it returns "unknown error occurred", likely due to flatpak permission lockdown. I'm also not sure if it's worth putting trust in another party when I can likely achieve the same thing while putting trust in something I already have to trust (KDE).

Is KDE Vaults good for my threat model, of are there better local and preferably Flatpak options?

gamma7

I've tried Picocrypt NG, but It requires entering password or keyfile every time I need to encrypt the file again, which isn't what I'm looking for.

koocmit

gamma7 KDE Vault is fine, since you can use proven algorithms as backends. Gocryptfs is what I usually recommend, since you can then use gocryptfs cli or droidfs (android) to make it cross platform.

You can read more about gocryptfs here: https://github.com/rfjakob/gocryptfs

Here is the announcement about gocryptfs being added as a backend to KDE vault: https://cukic.co/2020/06/01/plasma-vaults-and-gocryptfs/

Here is an old audit done on the algorithm: https://github.com/rfjakob/gocryptfs/issues/90

gamma7

koocmit how can I check what backend does KDE Vaults use? I go to it's configuration settings (Vaults settings) but all I found is keyboard shortcuts and about info. I searched on internet but I only found guides on how to setup vaults that are bit outdated. Also, when I create new vault, it only presents an option to choose a name.

koocmit

gamma7 you will need to first install gocryptfs using your package manager, or put its binaries in ~/.local/bin, or use brew to install it, depends on distro. On secureblue I think brew is the recommend way (not sure), otherwise rpm-ostree install gocryptfs also works if you don't use brew (I usually do this).

Once installed, you should see it in advanced tab (just look around, I have not used kde for a while) when setting up vault.

This looks like an updated guide: https://linuxconfig.org/create-encrypted-folders-with-plasma-vault
Just change the encryption to gocryptfs in the dropdown. You don't need the installation part, since it is in built