0

I'm building the equivalent of a blockchain wallet, it is an end-to-end encryption desktop program, the user (client) must be the only one to know his private key, with this private key, he can send funds or perform some potentially very critical operations, of course he just sends messages signed with the private key.

The UX allows the user to save his private key, so it can be reused later by the same application.

For obvious reasons, I need to encrypt this private key (64 characters string) some way or another, so any other program or person that has access to the file system cannot read it.

What are the state-of-the-art or recommended practice to adress this critical issue ?

Is there some OS features that allow only one program to read/put some data ?

Thanks

Lamouette
  • 29
  • 1
  • 3
    If you don't get _something_ from the user (e.g. as per Joseph's answer) then whatever you do to "secure" the private key, the means to reverse that "security" _must_ be inside your program, so any attacker can just duplicate what your program does to retrieve the key. – TripeHound Jun 21 '19 at 14:18

1 Answers1

3

You're barking up the wrong tree trying to build a DRM-like solution. Nothing akin to DRM ever works in the long run. Instead, do this:

Ask the user for a passphrase when they save the private key. Run the passphrase through a KDF (such as PBKDF2, scrypt, or Argon2), and then use the result as the secret key for some secure symmetric encryption algorithm. Encrypt the private key with that.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35