Brave Search

Equivalent of Data Protection API on Linux

stackoverflow.com › questions › 6032880 › equivalent-of-data-protection-api-on-linux

There are two options for user-level key stores on Linux:

GnomeKeyring
KWallet

This does not address the need for a system-level key store.

Answer from Matthew Rodatus on Stack Overflow

Stack Overflow

stackoverflow.com › questions › 6032880 › equivalent-of-data-protection-api-on-linux

java - Equivalent of Data Protection API on Linux - Stack Overflow

Top answer

1 of 1

If malicious code can run in the context of the user, DPAPI provides no protection, since said malicious code can simply ask DPAPI to decrypt it.

The only scenario it protects against, is if the data or disk is stolen, but the password is not known. The password can be reset easily but this makes the DPAPI protected data inaccessible. An attacker would have to crack the password hash from the Windows credential cache, but be aware that this is generally a very do-able task. If you know that this is what you have to do you can probably do it in most cases.

Your real problem is "how to easily manage the KEK".

DPAPI takes care of key management by piggy-backing on the Windows password. You would need a PAM module to do this on Linux, and there isn't one.

You should consider piggy-backing on whatever the user is already using, e.g. OSX Keychain, KDE's KWallet, Gnome's GnomeKeyring etc, which I believe have APIs.

If you were using Python, you should consider something like this:

https://pypi.python.org/pypi/keyring

Discussions

Best way for cross-platform reversible encryption

ASP.net Core Data Protection? https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-2.2 It's use case is specifically "DPAPI" replacement More on reddit.com

r/dotnet

May 18, 2019

security - Linux (Ubuntu) equivalent to Windows DPAPI - Stack Overflow

I am trying to find a solution to store secrets (to be used by my application) on Ubuntu Server 20.04. I have used Windows' DPAPI in the past to store secrets using the protection of the user account More on stackoverflow.com

stackoverflow.com

September 1, 2020

security - DPAPI / MacOS-style Keyring for Linux or BSD? - Unix & Linux Stack Exchange

Windows and Mac both have a handy way to secure data using the users' login credentials. The Data Protection API on Windows uses a symmetric key which is never stored in plain-text, and is encrypted More on unix.stackexchange.com

unix.stackexchange.com

Need ProtectedData support on non-Windows

Current package https://dotnet.myget.org/F/dotnet-core/api/v2/package/System.Security.Cryptography.ProtectedData/4.0.0-rc3-24022-00 throws PlatformNotSupported on non-Windows · This feature is needed by PowerShell and Nuget and it doesn't make sense for everyone to roll their own More on github.com

github.com

July 21, 2017

Narkive

mono-devel-list.ximian.narkive.com › a3RjvXE1 › mono-dev-equivalent-of-dpapi-in-linux-status-of-protecteddata

[Mono-dev] Equivalent of DPAPI in Linux / Status of ProtectedData ?

It should be as much secure as your user/machine (scope dependent) file system is (keypair persistence). I.e. if someone can logon as the user then it can access the data (which is identical to DPAPI behavior on Windows). Post by Lionel Cuir On which mechanism/other software it relies in Linux?

DZone

dzone.com › articles › storing-secrets-in-linux

Storing Secrets in Linux

May 8, 2017 - On Linux, the situation seems to be much more chaotic. There is libsecret, which seems to be much wider in scope than DPAPI. Whereas DPAPI has 2 methods (protect and unprotect), libsecret has a lot of moving pieces, which is quite scary.

reddit.com › r/dotnet › best way for cross-platform reversible encryption

r/dotnet on Reddit: Best way for cross-platform reversible encryption

May 18, 2019 -

I am porting a library to .NET Core from Framework and the bit that I don't have a good answer for at the moment is credential storage for a backend API. I need to be able to store a large set of credentials with reversible encryption, modifiable by the consumer of the library. With classic .NET on Windows I used DPAPI with serialization to JSON. Is there a cross platform equivalent?

Top answer

1 of 4

ASP.net Core Data Protection? https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-2.2 It's use case is specifically "DPAPI" replacement

2 of 4

Well the 'reversible encryption' is the easy part something like Bouncy Castle https://www.nuget.org/packages/BouncyCastle.NetCore/ works well on .NET core. Really 'reversible encryption; just means 'not a hashing function'...otherwise it's almost exactly functionally equivalent to writing random data to disk. Not sure what else you need; are you looking for some sort of 'secret store'?

Stack Overflow

stackoverflow.com › questions › 63687539 › linux-ubuntu-equivalent-to-windows-dpapi

security - Linux (Ubuntu) equivalent to Windows DPAPI - Stack Overflow

September 1, 2020 - ... It's a good reference no matter what language you're using. To achieve a similar workflow to DPAPI, generate a 16 byte secure random password, save it in the keychain, and use it to encrypt your data.

GitHub

github.com › zblurx › dploot

GitHub - zblurx/dploot: DPAPI looting remotely and locally in Python · GitHub

dploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux ...

Starred by 550 users

Forked by 76 users

Languages Python 99.9% | Makefile 0.1%

Stack Exchange

unix.stackexchange.com › questions › 498397 › dpapi-macos-style-keyring-for-linux-or-bsd

security - DPAPI / MacOS-style Keyring for Linux or BSD? - Unix & Linux Stack Exchange

The Keychain feature on MacOS provides a structured data storage mechanism for passwords and other secrets (Windows has a similar credential store, built on top of DPAPI).

Find elsewhere

Google Bing Mojeek

Ayende @ Rahien

ayende.com › blog › 178081 › storing-secrets-in-linux

Storing secrets in Linux - Ayende @ Rahien

May 5, 2017 - On Linux, the situation seems to be much more chaotic. There is libsecret, which seems to be much wider in scope than DPAPI. Whereas DPAPI has 2 methods (protect & unprotect), libsecret has a lot of moving pieces, which is quite scary.

Narkive

mono-list.ximian.narkive.com › TuDbHakz › linux-version-of-dpapi-to-encrypt-web-config-data

[Mono-list] Linux version of DPAPI to encrypt Web.config data?

First, here are my constraints: ... can easily be disassembled On Windows, DPAPI addresses these constraints, since it manages encryption keys at the OS level. My question is: when running ASP.NET applications on a Slackware 10 Linux server using Mono 1.0.2, do I have any similar ...

FreeBSD

lists.freebsd.org › pipermail › freebsd-questions › 2016-March › 270715.html

is there a secure store associated with user?

March 8, 2016 - My co-worker and I have discussed the issue of protecting sensitive data on Windows with DPAPI vs Linux world. MS DPAPI is secure, because it relies on user's password to encrypt user's data store. However, when windows services are involved, windows service control manager (SCM) needs to store ...

PyPI

pypi.org › project › dpapi-ng

dpapi_ng - Python DPAPI-NG De-/Encryption Library

June 1, 2023 - # Debian/Ubuntu apt-get install gcc python3-dev libkrb5-dev # Centos/RHEL yum install gcc python-devel krb5-devel # Fedora dnf install gcc python-devel krb5-devel # Arch Linux pacman -S gcc krb5 · Once installed, the Kerberos Python extras can ...

      » pip install dpapi-ng

Published Jun 02, 2023

Version 0.2.0

GitHub

github.com › dotnet › runtime › issues › 22886

Need ProtectedData support on non-Windows · Issue #22886 · dotnet/runtime

July 21, 2017 - Current package https://dotnet.myget.org/F/dotnet-core/api/v2/package/System.Security.Cryptography.ProtectedData/4.0.0-rc3-24022-00 throws PlatformNotSupported on non-Windows. This feature is needed by PowerShell and Nuget and it doesn't...

Author SteveL-MSFT

Stars-blog

stars-blog.com › dpapi-equivalent-on-linux

We cannot provide a description for this page right now

MSMVPS

blogs.msmvps.com › alunj › 2009 › 09 › 26 › sometimes-it-seems-like-unix-needs-to-learn-from-windows

Sometimes It Seems Like Unix(*) Needs to Learn from Windows – Tales from the Crypto

September 26, 2009 - Jesper brought up the excellent question of “how is it different?” – in the *x system, the password is marked as only being accessible to the correct user. I was about to answer him when Steve F spoke up for me, and noted that in the DPAPI case, you have to read the file, and then an API has to be called to decrypt the password; in the *x case, you simply have to read the file.

LinuxQuestions.org

linuxquestions.org › questions › linux-security-4 › storing-secrets-in-linux-4175532470

[SOLVED] Storing Secrets in Linux

Hi There; I am studying over the security, and the book I am reading is mainly based upon windows systems, so it gives options below : Storing secret

Mono

mono.github.io › mail-archives › mono-devel-list › 2010-February › 034135.html

[Mono-dev] Equivalent of DPAPI in Linux / Status of ProtectedData ?

February 17, 2010 - On which mechanism/other software it relies in Linux? Many thanks in advance, Lionel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20100217/ff5a2ce7/attachment.html · Previous message: [Mono-dev] Mono: Issue running xsp on RHEL5 · Next message: [Mono-dev] Equivalent of DPAPI in Linux / Status of ProtectedData ?

CodingTechRoom

codingtechroom.com › question › linux-data-protection-api-equivalent

What is the Equivalent of Data Protection API on Linux? - CodingTechRoom

# Example of using OpenSSL for data encryption in Linux import os from Crypto.Cipher import AES from Crypto.Random import get_random_bytes def encrypt_data(data): key = get_random_bytes(16) # AES key size is 16 bytes (128 bits) cipher = AES.new(key, AES.MODE_EAX) ciphertext, tag = cipher.encrypt_and_digest(data) return cipher.nonce, tag, ciphertext # Example usage data = b'My sensitive data' nonce, tag, ciphertext = encrypt_data(data) While Windows offers the Data Protection API (DPAPI) for encrypting sensitive data, Linux provides several alternative libraries and tools that perform similar functions.

Twitter

twitter.com › stacksecurity › status › 426234297801261056

Security SE

JavaScript is not available · We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center · Help Center · Terms of Service Privacy Policy ...

Pydigger

pydigger.com › pypi › dpapi-ng

dpapi-ng

## Requirements * CPython 3.7+ * [cryptography](https://pypi.org/project/cryptography/) * [dnspython >= 2.0.0](https://pypi.org/project/dnspython/) * [pyspnego >= 0.9.0](https://pypi.org/project/pyspnego/) ## How to Install To install dpapi-ng with all the basic features, run ```bash python -m pip install dpapi-ng ``` ### Kerberos Authentication Kerberos authentication support won't be installed by default as it relies on system libraries and a valid compiler to be present. The krb5 library and compiler can be installed by installing these packages: ```bash # Debian/Ubuntu apt-get install gcc