keep me signed in logouts after some time about electronmail HOT 10 CLOSED

Can you specify which OS and app version you are using?

from electronmail.

app version 0.3.2 (but its the same for previous versions)
OS Win 7 Enterprise x64 SP1 - all security updates installed

from electronmail.

Can you try this version https://www.dropbox.com/s/fquubq186t9ldqn/protonmail-desktop-app-0.4.0-windows-nsis-installer.exe?dl=0? A basic workaround has been applied.

from electronmail.

Also in case of facing this issue, can you run rundll32.exe keymgr.dll,KRShowKeyMgr in console (or running win+r, it opens Credential Vault) and locate there protonmail-desktop-app/master-password record?

from electronmail.

Running version 0.4.0 now. For now master password record is there if I run that command and auto login works. Give me a week to test it. I'm not exactly sure after how many days the problem appeared before, but I think it was not more than 7 days. So we will see.

from electronmail.

There is no option to specify expiration doing password record saving into the vault, so I guess system removes it automatically from the Credential Vault based on some criteria which is unclear so far. Workaround simply re saves password into the vault each time when auto login is happening.

from electronmail.

I found the issue. I thought before its just saved in some config file for protonmail-desktop-app and not directly in the system passwords and I'm autocleaning that regularly, so that was why it was gone after some time. Maybe better to save that just in some encrypted config file created just for this app and not directly in the system?

from electronmail.

Saving something encrypted means that it will need to be decrypted then. Automatic decryption means that encryption key will need to be saved somewhere as user is not asked to enter it. For example encryption key can be a hash generated based on the hardware devices serial numbers (such as HDD serial number, or CPU), but getting such kind of system information would most likely require admin access rights and would complicate things in general.

So node-keytar is used to save the master password in system's keychain. Saving password in system's keychain is not really secure by the way atom/node-keytar#88. That's a reason why there is a red warning with a security weakness message shown near the password saving checkbox. So password saving option is supposed to be used only if you understand the risk.

from electronmail.

I understand this. I thought maybe some password decryption based on USB flash drive with some key file or something like that.

from electronmail.

password decryption based on USB flash drive

That should not be a problem to implement this, but it's not in the agenda so far.

It would be great if a system keychain would allow to interact with the specific password record to only app that created that record, for example based on the app path and it's hash sum, but it's not like that.

from electronmail.