top | item 46629298

(no title)

Not really -- any secrets stored using this method should also live in a password manager somewhere. It's about providing more-secure programmatic access to secrets.

Basically, it rebuilds Windows DPAPI from first principles, which is fine (I've done it many times myself!), and something non-Windows platforms sorely need. It changes the impact of malware from "they dumped all our secrets from prod to their C2" to "they got some encrypted values, and now someone will need to figure out our methodology and underlying keys", which is a meaningfully higher bar.

discuss

No comments yet.