Replies: 3 comments
-
Like the FAQ already says if you want to keep key and certificate as safe as possible use the android keystore. That way Android itself protects the certificate from being exported. Everything else is just security by obscurity. |
Beta Was this translation helpful? Give feedback.
-
OK, thanks for the quick answer. While I'm not a completely helpless, I can't really figure out how I would do that. I have found some very old tutorials on how to make separate certificates from an *.ovpn-file but they date back to Android 4 and require quite a lot of manual work. Basically from what I've understood I'd need to craft separate certificates in part with openssl and maybe a PKCS12-file, but the 1 or 2 tutorials I have found are not very in-depth about that. Can you maybe direct me to an understandable tutorial on how to generate the needed files and how to import them properly when you only have an *.ovpn-file to begin with? Thanks in advance for any time you can spare. Quick Idea: How about implementing a generator that can automate the process within the app? |
Beta Was this translation helpful? Give feedback.
-
The app itself allows you import key into android keystore under basic settings when you select android keystore as auth method. When you import a profile that uses an embedded pkcs12 file it also offers to import it into the keystore. You can create a .p12 file from a certificate and key via:
For gerating a csr and putting the private key into keystore. That is theorectically possible but I think the use cases for that are extremely limited. People that actually want to provision private keys that will probably use another app (certificates are shared between apps) and for other people it is quite complex to do it that way. |
Beta Was this translation helpful? Give feedback.
-
Hi there,
today I've successfully configured a profile for my first self-hosted vpn and it works like a charm.
The FAQ tells me to delete the *.ovpn-file after successfully importing it into the app so it can't be stolen, which makes sense.
However, anyone that gains access to my phone can still access the created profile and from there take a look at the generated configuration which has all the keys in plain-text in there.
There's even a neat little share-button so it can be quickly sent to anyone that might want it.
Accessing a locked phone is not the hardest task in the world, if you are being watched by someone while unlocking it.
I do use fingerprint unlock, but there's always a pin as a fallback, which could even be guessed.
I know that a person would still need to have my vpn login credentials but giving away the keys so easily seems a bit shortsighted for my taste.
What do you think about implementing some kind of PIN or password protection to the config of profiles (set in the main preferences) to protect this sensible data? Another idea would be to just obfuscate the keys with f.e. "[certificate key is hidden]" or something in the preview.
That said, I don't know in which other ways people need this to be previewed, so it's just my two cents. Feel free to tell my why i'm wrong.
Thanks in advance for any input.
Unr3aL
Beta Was this translation helpful? Give feedback.
All reactions