April 10, 2018

KDE Plasma Vaults Gets More Paranoid With The Addition Of Offline Only Mode

Recently, long-time Plasma developer Ivan Čukić released an update to his Plasma Vaults application which made it's debut on the desktop with Plasma 5.12. For the uninitiated, Vaults are, as the name implies, a way to securely encrypt and lock files and folders on your Plasma desktop.

While there are many open source ways to do this already, both through a GUI and the command line, having this type of feature built into KDE Plasma is certainly appreciated and helps to focus the importance of privacy and security with regard to Plasma's users.

In continuing in that vein, Ivan brought to light an aspect of Vaults and encrypted files in general which is this: A typical use case for a Plasma Vault user would likely be something like this - When they sit down to work they click on the Vaults icon and open there folder containing their documents and or folders with potentially  sensitive information. Likely keeping the vaults open until the end of the work day when they would either shut down their PC, which would lock the Vault, or manually lock the protected information before they log out of their plasma session.

The thing is, new information coming from security researchers and the general public has brought to light that there maybe risks even during the session being open while you're sitting at your computer. He points out that while physically we can protect our computer while we are physically there, thereby limiting access to others to our information, there is at least to some degree risk of information compromised even when we were at our computers.

He cites examples such as user error with regard to something like clicking on a malicious link that would give access to the computer to an outside user. Additional examples include vector attacks on CPUs and other vulnerability flaws that could give outside attackers remote access to your system via the network. Although unlikely, these scenarios are increasingly more common in the news and therefore should possibly be taken into account.

Vaults in Plasma's system tray
Vaults in Plasma's system tray

To help with this, Vaults will be introducing what I call "Paranoid Mode" - That is basically a simple offline mode that integrates seamlessly within your Plasma Desktop. When we create a Vault, we will have the option to select the folder to be in offline mode only for access. Basically what this means is if checked, when a user opens a protected vault, the application will disable network settings, via Plasma's network manager, for the duration of the folder being open.

This is actually rather genius. By cutting off outside network connectivity, we can further be assured that access to any sensitive documents or other information is inaccessible to all but you, the owner of the data. A practical application could be something like this for example: Let's say a user has a routine where once a month they enter last month's financial business information in into KMyMoney. The user, being a smart cookie, has her financial database encrypted using Vaults.

Since she checked the option to go offline while that Vault is open, while working in KMyMoney she would like not to have financial information available via exploit on the network. By encrypting their KMyMoney database in a Vault set with offline mode, the network would be disabled while the user performs their activities in the financial application.

Upon re-locking the Vault, presumably, the network session would be restored. That is just one example and I'm sure readers of this blog could cite many others as well. While perhaps not necessary for simple day-to-day documents (which is why this functionality is optional), it is really appreciated that such thought is given to use cases like this.

Vault's offline mode in KDE Plasma
Checking the new offline mode when
creating a new Vault in KDE Plasma

It is details like this that really push KDE Plasma to the forefront of privacy and security amongst their users. As many of you know, user's privacy and security is one of the concentration areas of KDE Plasma going forward. This provides another great example of the thought in care given to that initiative.

Could you see yourself using offline mode (I really think it should be renamed Paranoid Mode!) in your day-to-day or week-to-week computing activities? If so be sure to let us know.


- Offline Vaults for an extra layer of protection

1 comment: