I was recently mumbling about where to store private key backups for crypto wallets, digital signature certificates etc. I know that the strongest practice would be never ever keep those data in digital form and on any cloud (I guess you might agree but let me know…).
Anyway let’s suppose I store a private key or some very sensitive info which I won’t access frequently in CodeBook, question is: since I use the app a lot for my other daily tasks, is unlocking Codebook a “threat” for all stored data even if that specific record is not being displayed on screen? In other words: should I consider keeping very sensitive info which is not accessed frequently separated from not-really-sensitive info used everyday?
Thanks for your support of Codebook and posting to the discussion forum. Sorry for the delay in response.
Codebook does not decrypt the entire database en masse, it decrypts only as needed. However, there is caching in place, so depending on the size of your database and how you access it, the whole database may be in memory at any given point in time. The details are available in this page about how SQLCipher (Codebook’s backend) works:
That said, as a general comment, it’s virtually impossible to secure a program in a situation where rogue administrative software can read an application’s running process memory. For example, even systems like TrueCrypt and other full disk encryption systems are susceptible to attack with elevated access.
However, this is balanced by the fact that it is generally very difficult to gain the administrative level of access required to dump memory (i.e. normal applications can’t do it). It is not trivial to access the running memory of other processes.
As a practical example, consider an application keeps only a partial subset of the data “in memory”. It must also have an encryption key in memory to decrypt the rest of the data when needed. Any sufficiently sophisticated malware running with administrative privileges and direct memory access could just skip trying to get the data from memory, and instead grab the encryption key and the file.
Please let me know if this answers your question and if there’s anything else I can do to assist.