• jokeyrhyme
    link
    fedilink
    arrow-up
    7
    ·
    3 years ago

    Meh, I’ve been using the official Firefox flatpak, and I love that my web browser has no access whatsoever to my ~/.ssh private keys, or anything else I don’t want it to be able to read

    • CHEF-KOCHOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      3 years ago

      You could store it via KeePass and ~/.ssh can only read out by your Browser if you are using the same user account to run both, so I would recommend storing ssh-keys in the home directory of another user account. Another way would be to encrypt ~/.ssh if you store your keys there.

      • jokeyrhyme
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        I was sort of cheeky with my ~/.ssh example, because I’m actually 100% on Yubikeys for my SSH private keys, so there’s only public keys in that directory now

        But, with my setup ( https://gitlab.com/jokeyrhyme/dotfiles/-/blob/main/packages/flatpak-update.sh#L66 ) I run flatpak override --user --nofilesystem=home ... for a few things like flatpak web browsers (really, I should run this for everything)

        It’s all about defense-in-depth: putting up as many barriers as I can before the getting inconvenienced more than I’d like, and flatpak is so easy for me to use that there isn’t any inconvenience at all

        • southerntofu
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Note that you could do that with any program without flatpak. For example with firejail