Profile decryption problem after last update
-
Been running vivaldi on always fully updated KDE Neon with no issues. Vivaldi was updated in yesterday's Neon updates. Did fresh boot this morning so presumably running the new vivaldi. But now, for the FIRST time, the following occurs:
-
instead of going straight to vivaldi, a window opens, asking "Who's using Vivaldi?"
- the choices are "Profile 1" and "Add", with a "Guest mode" at the lower left
-
since I already have plenty of history and bookmarks, I'm not a "guest" nor should I need at "add" a profile, so I click on "Profile 1".
-
Another window opens, entitled "Decryption failed: risk of data loss". Inside the window it says:
"Vivaldi could not unlock your secure key store. Without the key store, you will lose your saved logins, secure cookies, and some features like Sync, Mail, and Calendar will stop working.
Please quit now, unlock or repair your key store, and then try again. Do you really want to continue, but lose data?"
Buttons to click are: "Switch profile" or "Continue with Data Loss".
The first is a non-issue, and the second unacceptable, so I just "X" out of but windows and am left with no Vivaldi.Searched a bunch for Vivaldi with terms like 'key store', 'unlock profile', etc, but found nothing.
The Vivaldi is a flatpak version. f'latpak list' says it's 6.8.3381.44.
There is one more detail that makes this problem especially strange. The Vivaldi flatpak is installed with "--user", so everything is in my home directory, which is in its own partition, and therefore Vivaldi can be seen by any distro on my system, and for grins, I have KaOS installed also, a distro with a number of similarities to Neon that I wanted to monitor. Here's the strange part - if I boot to KaOS, VIvaldi just comes up with no issues from the same installation(!).
I mention KaOS only if it provides a clue. I do want to be able to run Vivaldi on Neon, as I have been doing.
Any ideas?
-
-
@georgep To be safe, back up your profile. Then you can give the data loss option a try and see what happens. Have never heard of such a message, could be flatpak specific.
-
I may need to try the "data loss" option at some point, but I'm waiting a while, hoping someone has a better idea. The intriguing part of the message displayed by Vivaldi was where it said "unlock or repair your key store", so if anyone knows how to do that, that would be great.
For the time being, I'm running my (shared flatpak) Vivaldi under the KaOS distro and that works fine.
-
Hi. This feature is new and might misbehave. However, from your description, it’s behaving as it should! Vivaldi stores a decryption key in either KWalet (KDE) or GNOME Secrets. When you switch distribution or desktop environment, the secret may be “left behind” in your other environment.
The dialog is intended to warn you before your data gets overwritten. The instructions are unclear, because the topic is quite complicated. For comparison, other Chromium browser just silently erases your secure cookies and saved passwords in this situation. Earlier versions of Vivaldi had the same behavior. The only thing that has changed is that you’re now told about the problem and given an opportunity to fix it before any data loss occurs.
To fix this problem, you either need to go back to your earlier environment — as you discovered, that one still works, or adjust you secondary environment to use the same decryption key.
You mention that you run your profile in multiple distribution. Unless they share a /home directory, they can’t access each other's secret keys. It sounds like you want to export your secret key from one environment and import the same key into the other environment.
If they do share /home directory, you may need to ensure thatyou use KWallet or GNOME Secrets in both environments. The Chromium wiki has more information on switching password storage on Linux. You may note that there is also an option there for running without encryption, if you prefer not having to deal with this.
Alternatively, you may want to use separate profile paths for your different environments and keep them in sync with Vivaldi Sync.
-
@daniel Wow, great info. Yesterday, I got the idea that this could be a Chromium issue, and researched that, but nothing useful, probably because I was searching for 'key store' and not 'password store'.
That search did give me the kwallet idea, and I noted that KaOS, where viv worked, had it enabled, but Neon had it disabled. But enabling it in Neon got me to a password prompt, but after entering that, just wound up at the "Who's using Vivalidi?" window. So no joy there.
So your post seems to be what I needed. I'll check it out and report back - really.
Both distros share the same home partition. I would like to run Viv withOUT encryption, since I don't use Viv to store passwords, and as for login cookies, I am ordinarily logged out of any websites. So no security issue.
I am anticipating a problem though, since the working Viv is on the distro with kwallet enabled, that suggests the profile is encrypted. I'm concerned if I switch to '--password-store=basic' that the profile will not be decrypted. But we'll see.
I also have a Linux Mint partition, also sharing /home, that is still hanging around (though I keep it updated). I tried Viv on that and get the same "Who's using ..." window. This one is probably trying to use the gnome keyring. However, as long as I can get Viv working on both Neon and KaOS I'm good.
Incidentally, I turned kwallet off in Neon a while ago because it was causing lots of problems, and there seemed to be lots of online agreement to just shut it down.
I'll post here what happens.
-
Unfortunately, the problem I anticipated has occurred.
On KaOS, the distro on which Viv was working, I added the '--password-store=basic' parameter to the .desktop file used to start the Vivaldi flatpak. The result was that I now get the "Who's using ..." window there as well. Clicking there on "Profile 1" also produces the "data loss" window.
So switching to basic did NOT decrypt the profile.
I had left Kwallet enabled, lest it be needed to do the decryption. Since that didn't work, I DISabled Kwallet and tried again. Same result.
Not sure what to do next ...
-
@georgep Hi, I'm not on Linux, so I know little about the details on how Chromium stores the secret in the keyring. Daniel can probably fill out any technical details here.
A little web search found me this:
https://rtfm.co.ua/en/chromium-linux-keyrings-secret-service-passwords-encryption-and-store/
https://www.linux.org/threads/what’s-the-chromium-safe-storage-in-wallet-manager.50095/But what I'm pretty sure of is: You can't just change encryption method on an existing profile - it won't work and it won't be able to decrypt the passwords already encrypted with the key. So you need to start from a fresh profile, or at least make sure to delete the
Login Data
file and probably also theCookies
file - after you've exported the passwords obviously.Extension data is also encrypted, so you might have issues with that as well if extensions you use have important data saved.
Probably best to start from a clean profile and import your passwords from a backed up text file.
Passwords can be exported in CSV format from your working profile.
chrome://password-manager/settings
And of course, once you have passwords stored in basic format, you'd better make sure to always use the shortcut with the correct parameter to launch the browser, otherwise it will probably just fall back to using the keyring again.
-
I also experienced this problem. After updating Vivaldi from
vivaldi-stable-6.7.3329.41-1.x86_64
tovivaldi-stable-6.8.3381.44-1.x86_64
, my personal and work profile got locked, so Vivaldi launched the "Who's using Vivaldi?" dialog. I was in a hurry, so I quickly dismissed the warning that site data would be lost. While my history is still intact, I'm logged out everywhere. Not a disaster, just a bit inconvenient.I tried to salvage my work profile by reverting through my package manager, but unfortunately, the data was wiped too (without a warning, by the way, so I'm assuming this was added in the new version).
I hope this was an oopsie from the developers, as I'm not so keen logging in everywhere again after each update. If this does happen again, I might disable the encryption feature altogether, as my disk is encrypted anyways.
Edit: for clarity, I'm not using Flatpak, just the version from my
dnf
package manager. I'm also not sharing a home partition as OP does, so I think it's more related to the new update. -
It's me, the OP.
My situation has deteriorated. When I restored the original .desktop file used to start flatpak Viv, and re-enabled Kwallet, instead of working on KaOS as before, now I also get the "Who's using ...?" window.
So NO working Vivs now, in any of my 3 available distros.
@Pathduck Interesting links. It will take me a little while to work thru them.
Since I don't use Viv to store passwords, there will be no problem there.
The extension data will be annoying though. Been thru that in the past when I tried to share a Viv profile on a dual-boot Windows/Linux Mint machine.
Unless there's something great in your links, I expect I will need to do the clean profile.
-
@georgep I'd advise you against sharing a home folder over multiple distributions. To be honest, I'm surprised this is the first time something went wrong. As all config files and state of your user lives there, I'd expect things to break when, e.g. two distro's use a different version of the same program.
-
@NiRo1205 said in Profile decryption problem after last update:
two distro's use a different version of the same program.
That's also a very good point - you can't expect to safely jump between two different versions, there's a major risk of changes in data structures causing a corrupt profile with unforeseen results.
Basically, keep profiles separate and use Sync for the important stuff. And even then, make sure to keep versions always updated, as Sync itself could change its data structures from version to version causing breakage.
You can't for instance expect to be able to jump from one Stable profile using Sync to a Snapshot profile with the same Sync user account. It's guaranteed to bork your profile.
-
@NiRo1205 Yes, one must use due care in sharing a home folder. This is why virtually all of my GUI apps are flatpaks or appImages. These will run in any distro, and everything is stored in home.
However, there is a bunch of distro-specific stuff in home, especially related to the desktop environment. - in .config for example. However, in the separate partition for each distro, I've created a /shadowhome. In my home paritition, I've symlinked .config to one in /shadowhome.
This means that whatever distro is running, the .config in use is one stored in its own partition.
.config is just an example. Some other stuff is symlinked the same way - basically whatever a distro wants to install in home.
Clear as mud, right? But it's worked well.
This case is a bit weird because Chromium, and thus Vivaldi, is doing something different essentially based on what distro is running it, in particular, what secret service is running on the distro.
-
@Pathduck I'm hoping as long as I start VIvaldi in each distro with no encryption, there should be no problem.
Viv worked fine in all three distros before this recent change.
Of course, KDE Neon is my primary focus, so as long as I get Viv working there, I'm good.
I've now reviewed your links, and tho interesting, I did not see any possiblity of saving my current profile.
-
As I said before, "When I restored the original .desktop file used to start flatpak Viv, and re-enabled Kwallet, instead of working on KaOS as before, now I also get the "Who's using ...?" window."
This was perplexing, but now I have a clue. When Viv is sitting at the "Who's using ..." window, I run ps aux | grep -i vivaldi on the command line, which shows lots of Viv processes. Three are very interesting tho:
ps aux | grep -i vivaldi | grep password
george 2913 0.2 0.0 2540 1716 ? Ss 19:48 0:00 bwrap --args 40 -- vivaldi --password-store=basicgeorge 2925 0.2 0.0 2540 1440 ? S 19:48 0:00 bwrap --args 40 -- vivaldi --password-store=basic
george 2926 9.2 0.6 34233564 200824 ? Sl 19:48 0:00 /app/vivaldi/vivaldi --disable-features=WebAssemblyTrapHandler,DesktopPWAsRunOnOsLogin --password-store=basic --no-default-browser-check
The two "bwrap" are flatpak related. I don't know anything about the vivaldi one. But even tho I've removed the "--password-store=basic" flag from the command line, it's still being remembered somewhere!
Need more research ...
-
OK, copied the flatpak command from the .desktop file, and ran it on the command line, with only the addition of -vv, to get very verbose output to see if I could see where "--password-store-=basic" was coming from.
Surprisingly, VIv came right up, with NO "Who's using ..." window!
In ps aux, the bwraps were there, but they did NOT include password-store. Nor was the other occurrence present.
So I can now run Viv again in KaOS, as long as I use the command line.
-
Unfortunately, just using one distro did not stop my profile getting also locked. I'll keep an eye on this; when Vivaldi releases another update, I'll report here when things start breaking again.
-
OK, I got Viv working normally on KDE Neon again, withOUT needing to create a new profile.
I just copied the two files in ~/.local/share/kwalletd from the working-Viv KaOS install to the same directory in the Neon install, enabled kwallet in Neon, then logged out of Neon and back in.
In this case, I DID get tripped up on a two distro problem. To make a long story short, to share the Plasma desktop setup between KaOS and Neon, instead of using a forest of symlinks, I created a rsync shell script that used a list of folders to sync. Unfortunately, I failed to rsync the two at one point when I was messing with kwallet trying to get kmail to work, and so the wallets became desynchronized. (BTW, kmail wasn't worth the trouble ...)
Anyway, since Viv is now working in Neon again, so I'm good to go.
-
Going back now to the original issue of the surprise "Who's using ..." window, this certainly is not the way I would have setup the Vivaldi (or Chromium) change.
My first rule is always "don't break anything".
I agree the whole thing is complex, but I might have considered something like this as a STARTING point:
Instead of the "Who's using ..." window and the "data loss" window, go to another window saying as of such-and-such date, a new security check has been added. Your current situation is (whatever it is).
The user is given buttons for "Remind me later" (i.e. next time I start the browser), "Continue my current setup", and something about how to "fix" things.
I would never tell the user to "unlock or repair your key store" without some indication of how to do it.
If "Profile 1" or the like is mentioned, it should state whether that's what you've been using up to now or whether it's some default profile.
(I'm not sure why any data loss should even be needed, but that's a different issue.)
For knowledgeable people, it might be good to mention what secret service is being used.
Anyway, seems to be lots of room for improvement there.
Otherwise, Vivaldi is great!
-
One more thing on the way Vivaldi is handling this, that I forgot to mention above.
What if Viv is your only installed browser? Then when you see the "Who's using ..." and "data loss" windows and think, like me, oh gosh I need to research this --- you'll need to install another browser to do it.
-
@georgep
Hi, does other Chromium browser does the same?
I guess this message is not from Vivaldi.
Some time age I could not start KDE and had to use Xfce and got the same message.Cheers, mib