MacOSX: wallet.dat content should be stored in Mac OSX Keychain

[jonasschnelli]

I'm not sure if it's a good idea, but let's see what others think:

Could we not store the wallet.dat content in the MacOSX keychain?
The keychain then would provide a basic security (secured with the login credentials).
Of course we could keep the wallet encryption function (encrypted wallet in encrypted keychain data).
In my eye it would provide basic security for normal users.

As you noticed, i'm focusing on mac improvements. Windows 8 should also have a encrypted registry like keychain.

What do you think about this? Already discussed?
I could provide the MaxOSX implementation.
It just could be a keychain string store with a base64 string of wallet.dat. Length is limited to NSString length what then would be 2^32 - 1 (4.2 billion chars).

[luke-jr]

1. wallet.dat is going away anyway
2. OS-specific formats like this are not portable and probably hard to backup
3. What benefit is there to double-encrypting?

[jonasschnelli]

1. okay, i did not notice this (due to i'm new here) :)
2. right, but export wallet function could be done, but maybe is a overhead?
3. benefit: novice (normal) users has encrypted walled by default (encrypted with login credentials). If "somebody" grabs the harddrive or a backup of the drive, he cannot get access to the wallet.dat file.
   I just say, it would prevent normal users from having unencrypted wallets on their disk (it's then like encrypted partitions on your disk).

[gavinandresen]

I agree it would be nice if the OSX wallet was smart enough to store keys in the OSX keychain; it is exactly the type of thing the keychain is designed for.

[Sjors]

I agree that the keychain is a more appropriate place for private keys than the wallet.dat file. In particular this protects users with unencrypted hard drives and non-admin users on a shared computer (?).

An interesting possibility would be to create a fresh keychain specifically for the wallet.

I suspect however that it's too much effort to maintain this in a cross platform setup.

Some practical of issues I'm seeing:

1. Backups. I suppose backup commands could fetch all keys from the keychain first
2. macOS might prompt user for keychain access at weird moments, as it needs to save more keys
3. Multiple wallet support (Basic Multiwallet GUI support #11383 / Multiwallet for the GUI #12610)
4. Wallet encryption support (is the value that's stored in the key chain encrypted?)
5. How do we warn the user that they shouldn't delete their keychain and take those keys with them when moving to a new machine?

[ryan-mars]

I'm not subscribed to this issue or watching this repo but I just received an email notification for @Sjors comment. Is this a Github bug?

[2xic]

@Sjors
Yes, using the keychain will protect users with unencrypted hard drives and non-admin users on a shared computer. Because "a keychain is an encrypted container" (link).
It is also possible to create multiple keychains(with a different password) for the same account. Therefore people sharing the same account can also stay safe. Also, the access to the keychain can be application restricted (only bitcoin core can access the keychain).

(my answer/thoughts/ideas regarding your comments)

1. Backups. I suppose backup commands could fetch all keys from the keychain first
   There is possible to do a simple fetch command. Apple also has a nice tool for transferring the keychain from old to new computers (link). However, I think having a fetch command is good for cross-platform compatibility.

2. macOS might prompt user for keychain access at weird moments, as it needs to save more keys
   This might be a problem. I have been doing some test with the keychain API. I do get a prompt for inserting passwords at some weird times (some functions are weirder than others). However, if the keychain support gets backed well enough into the GUI this problem might fade away.

3. Multiple wallet support (Basic Multiwallet GUI support #11383 / Multiwallet for the GUI #12610)
   Having a different service name for the keychain or creating a new keychain for each wallet can separate the multiple wallets.

4. Wallet encryption support (is the value that's stored in the key chain encrypted?)
   Yes.

5. How do we warn the user that they shouldn't delete their keychain and take those keys with them when moving to a new machine?
   I'm no UX expert so this will be a bad answer. Since the keychain will be treated as a wallet.dat, the keychain implementation should get the same warnings as the wallet.dat implementation.

[fanquake]

I'm going to close this for now. I think the likelihood of us adding more macOS specific code to implement this is very low.

[Sjors]

If Apple ever adds the correct curve to their secure enclave chips on Macs, and allows signing with it, then we should consider adding support for that.