Forums temporarily locked down! Please read!

Author Topic: Non-global whitelist?  (Read 4278 times)

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Non-global whitelist?
« on: April 20, 2011, 08:54:10 PM »
Hi all,

Is there a way to support opening a protected app specific store automatically without adding the app to the global white list?

Scenario:
I have a protected folder called "BBEdit Backups" which I only need unencrypted when BBEdit is running.  I do not want to have this unencrypted at login (no need, not as secure as only when BBEdit is running, etc.). Presently, I do not have BBEdit added to the whitelist, and I have the "BBEdit Backups" protected folder tied to BBEdit, so when I launch BBEdit I get prompted for the password for the protected folder.  I'd rather not get prompted, but the only solutions I can come up with are to add BBEdit to the global whitelist, which I'd rather not do, or to decrypt the store at login, which I would also rather not do.

Thanks,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

mike

  • Veteran
  • *****
  • Posts: 82
    • View Profile
Re: Non-global whitelist?
« Reply #1 on: April 21, 2011, 02:11:24 PM »
Hi Levi,

The whitelist isn't what you think it is and I apologize for the confusion. It doesn't allow the application to bypass the password prompt but merely allow it to view your encrypted folder. One use for this is to allow backup apps to backup your encrypted folders without asking you for the password each time and you can do this by white-listing it.

It is not yet possible to do what you're asking because the password is essential to decrypting your folder. We might consider making this easier to work with in the future.  

At this moment, to do what you're asking, you have to enter the password each time.
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »
Follow @espionageapp on twitter for news!

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Re: Non-global whitelist?
« Reply #2 on: April 21, 2011, 03:48:08 PM »
Hi Mike,

Thanks for the reply.

I'm not sure we're communicating, however.

If I add an app to the whitelist there is no prompt for the store specific password (the Espionage keychain is unlocked by me at login), so I can do what I want if I add the app (BBEdit in this case) to the white list.  My concern is that I don't want BBEdit to have whitelisted access to *any* store, just the one(s) I configure.

Does that make any more sense?

Cheers,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Re: Non-global whitelist?
« Reply #3 on: April 21, 2011, 06:58:06 PM »
Hey Mike,

Sorry, I've had a moment to play a little bit more and I think I now understand a bit better...

The white list is for applications that don't want access to the content of the protected store, but instead should just have the ability to access the encrypted disk image directly (without unlocking it) without /trying/ to unlock it... gotcha.

So... it looks like my only option is to have the protected store unlocked at login... not a fan.  Can I request a feature then, to have the store unlocked with the password from the keychain for that store as a configuration?  Perhaps tied to application associations?  But I can envision some wanting to access stores manually without unlocking them directly as well.

Cheers,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

mike

  • Veteran
  • *****
  • Posts: 82
    • View Profile
Re: Non-global whitelist?
« Reply #4 on: April 21, 2011, 10:19:41 PM »
HI Levi,

I do understand and I also want the same feature for myself. That feature request is something we're looking into for the future but I have no timeframe on when we'll be able to implement it. Thank you for letting us know that this would be useful for you.

Let me know if there's anything else I can help you with (beside this feature request, of course :) ).
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »
Follow @espionageapp on twitter for news!

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Re: Non-global whitelist?
« Reply #5 on: April 21, 2011, 10:48:51 PM »
Thanks Mike.

I'll hope you guys can get to it soon, since this feature will be key in making security less invasive for my less security minded friends, family, and co-workers.

Cheers,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

mike

  • Veteran
  • *****
  • Posts: 82
    • View Profile
Re: Non-global whitelist?
« Reply #6 on: April 22, 2011, 01:35:06 AM »
Hi Levi,

You're welcome.

Just so you'd understand, even if we add this option, the data is still exposed to every other apps. It wouldn't just be restricted to a specific app. For an example, as long as BBEdit app remains open, every other apps will still see the data. So, the benefit of this specific feature is not a major improvement from the "unlock at login". The other problem is that if you tell Espionage to lock down the folder after BBEdit is closed and you were writing some data to the files in that folder, the file can be damaged as the result of the forced lock. That's why the unlock at login is usually safer.
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »
Follow @espionageapp on twitter for news!

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Re: Non-global whitelist?
« Reply #7 on: April 22, 2011, 03:56:22 PM »
Hi Mike,

I do understand that the unlocked stores are available to all apps, and that's exactly why I'd like to limit the time they are unlocked. If I use the unlock at login, then the store is unlocked all the time regardless of if the associated app is running or not (and without an auto-lock feature, like my other post, the store remains unlocked unnecessarily the entire time I'm logged in).

I'm not sure how to mitigate the risk of data corruption should a file be open on a store when a lock is requested for that store... I'll defer to you guys.  But, in the cases when the store is app specific (BBEdit Backups, Mail, etc.) it's less likely that anything else will be accessing the files.

Cheers,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

marty

  • H4X0r
  • ****
  • Posts: 27
    • View Profile
Re: Non-global whitelist?
« Reply #8 on: April 24, 2011, 07:15:11 PM »
Thanks for your additional feedback, Levi.

Locking the folder can only be done when all files in it are closed. For "well-behaving" applications that should be no problem, but how anything might react is more up to them than to anything we might do.

Have you experimented with the Application Associations setting for "Lock on quit"? With this, you should be able to direct Espionage to lock the BBEdit folder when you quit BBEdit (or any other application(s) of your choosing).
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »
Tao Effect Support

follow @espionageapp on twitter for news!

xfile80303

  • H4X0r
  • ****
  • Posts: 10
    • View Profile
Re: Non-global whitelist?
« Reply #9 on: May 24, 2011, 08:23:25 PM »
Hi Marty,

Yeah, I'm aware of the "lock on quit" functionality and that's great stuff.  The meat of my proposal is that I want to have an application association which unlocks the store when the app is launched, but instead of asking for a password it unlocks it automatically (since the password is stored in the already unlocked Espionage keychain), and have the store lock automatically when the app is quit (as it does today).

Make sense?  Am I missing this as a currently available feature?

Cheers,

Levi
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »

mike

  • Veteran
  • *****
  • Posts: 82
    • View Profile
Re: Non-global whitelist?
« Reply #10 on: May 30, 2011, 07:40:17 PM »
Quote from: "xfile80303"
Hi Marty,

Yeah, I'm aware of the "lock on quit" functionality and that's great stuff.  The meat of my proposal is that I want to have an application association which unlocks the store when the app is launched, but instead of asking for a password it unlocks it automatically (since the password is stored in the already unlocked Espionage keychain), and have the store lock automatically when the app is quit (as it does today).

Make sense?  Am I missing this as a currently available feature?

Cheers,

Levi
Hi Levi,

What you’re saying does make sense to us. You’re looking for the “unlock automatically upon app’s launch and lock upon quit” and it should remember the password stored within the Espionage or OS X keychain type of setup. It is not currently supported at the moment, we might support it in a future update but like I mentioned before, I do not have a timeframe on this.
« Last Edit: December 31, 1969, 11:00:00 PM by Guest »
Follow @espionageapp on twitter for news!