"Secure Key Store" ?
-
(using V_x64_6.8.3381 on W10)
Can anyone explain, in plain English, how I should respond to this baffling message V sprung on me tonight?
-
@kosmonaut weird. I can't think of a reason why you'd see that message on any current version of Windows.
On xome versions of Linux, it is possible to start the graphical desktop without actually logging in. In such a case you would see a prompt asking you to enter your login password. If you fail to do that, then you would encounter this error, as yout user key would not be accessible.
So what is happening is that for some reason Windows doesn't trust that you are the user whose account you are using, or else your system's key storage has been corrupted and is unreadable. I suppose the latter is more likely, in which case you'd need to either recover or repair it. If you have a backup of yout system files that might work. Otherwise you'll likely end up with a new key, and haxe to recover your saved passwords using Sync.
-
@kosmonaut
Hi, answer to your question in No.
Did you copy your user profile from one system/user to another? -
no I haven't made any changes to V in weeks. This came completely out of the blue.
-
Thanks for your reply - this gives me a lead to follow. In any event it appears, at this point, that it's really a Windoze issue rather than a V problem. Back to work ...
-
Not making much progress on the Windows end as I haven't been able to find out yet exactly what i'm even looking for.
Can anyone explain how to (alleged) "security" process works in V? "Unlocking my Secure key Store" is an abstraction. It provides us with absolutely NO useful info at all! Exactly what Windoze file or files is V checking at startup? And what is it comparing it to? How does the whole (in)security process work?
-
@kosmonaut
Hi, I will try, some files/data is encrypted with the Windows user ID, passwords for example.
If the ID change, other user or hardware change Vivaldi cant decrypt the files and stuck.
I saw this message on Linux but never on Windows before.
If you say Yes you cant reach your passwords, extension settings and cookies iirc, all other should work.
So if you have a backup with exported passwords or use sync you can handle this.
If not your passwords are lost.Cheers, mib
-
@kosmonaut Do you use another Chromium based browser? I know Chrome does the same thing Vivaldi does, and see no reason why MS would bother to "reinvent the whell" in Edge. If those browsers don't complain about your secure key store, then it is some bug in your Vivaldi - though as no one else has mentioned it yet you might just have a bad copy so a reinstall of Vivaldi might fix it.
-
@sgunhouse said in "Secure Key Store" ?:
Do you use another Chromium based browser?
Thanks again.
No I don't have another (working) Chrome-based browser.
I don't think this is a Vivaldi issue. This happened just after my 5 week old install of Win10 informed me at boot up that my password had "expired" and I had to change it. I did so - in order to get logged on - and then changed it back. But Windoze (and therefore Vivaldi) doesn't consider this a return to "how things were" but 2 sequential changes to my user act. IE: it former user is MIA and now we need to protect his user data from the prying eyes of this imposter.
Why do we put up with this crap?
-
@kosmonaut Strange, I've never seen Windows expire a password. Note that changing your Windows password shouldn't matter to Vivaldi, just so long as you enter your current password the few times it would require it - that is, Vivaldi doesn't store your Windows password somewhere, it just asks Windows if the one you told it is correct.
-
@kosmonaut Thinking about it, the only way a Windows password should expire is on a managed system - on a work computer - if the administrator requires you to change passwords on a schedule.
-
In Windows, Vivaldi and all other Chromium-based browsers use the DPAPI key/token in combination with an
encrypted_key
value stored in theLocal State
file per User Data folder.
https://en.wikipedia.org/wiki/Data_Protection_APIThe following data is encrypted from what I know:
- Passwords
- Cookies
- Extension data
There's a lot of information about this online:
https://www.google.com/search?q=chromium+password+encryptionThere's also a lot of posts from browser users who have lost their passwords after reinstalling the OS, changing their password in a non-standard way etc. Suffice to say Chromium's implementation of this is finnicky and prone to breakage.
It's not really all that secure either, as any process running with the same credentials as the user will be able to decrypt the data, something malware info stealers use to their advantage. There are also several tools to simply allow you to view the passwords without entering anything.
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
- https://textslashplain.com/2020/09/28/local-data-encryption-in-chromium/
- https://www.nirsoft.net/utils/chromepass.html - I use this tool myself, to copy passwords when needed without having to go through the "security theater" of entering your user password first.
The warning dialog you're seeing is I believe specific to Vivaldi - it detects if it's unable to decrypt the passwords and warns you before you launch the profile and potentially lose data. I also thought it was only on Linux so far, as the mention of a "key store" is not technically correct on Windows and will only serve to confuse users. And once the DPAPI key has been changed, there's zero ways to "repair" it.
Cookies will be cleared if they can't be decrypted and you will be signed out of all sites. The value of the passwords is not changed however, they just can't be decrypted any longer as the DPAPI token has changed or been invalidated.
So how can this happen after you "just changed the password"? Well, it depends how the password was changed. From what I've read, using the Ctrl+Alt+Del dialog in Windows will not invalidate the DPAPI key, but doing it through the "Local Users and Accounts" method "Set Password" will. Unfortunately a lot of old-school Windows users and admins prefer the latter method, as one can use copy+paste there, something that won't work in the Ctrl+Alt+Del security screen.
There are also several other "gotcha's" here - including changing your Windows login method (from say a password to a MS account/PIN method) or setting the login to not prompt for a password at all. And obviously, trying to load a browser profile as another user or after a full reinstall will also break decryption.
Generally (and IMHO) Chromium's encryption is pretty much useless from a security perspective, and serves no purpose other than "security theater", while at the same time making it easy for unwary users to mess things up and lose all their stored passwords. Firefox has a much saner approach - either don't encrypt local passwords at all (or just obfuscate them), or encrypt them with a master password if the user wants.
-
Please see the following support article:
https://help.vivaldi.com/desktop/troubleshoot/decryption-failed-risk-of-data-loss-error-dialog-on-startup/