Is it safe to link my Microsoft account?

I’ve just installed Fedora 38 and during the install there was the option to link my Microsoft account which I assume can sync my OneDrive files. However I am wary of giving a third party app my MS username and password. How safe is it?

Welcome to the community !

It stores your username/password in Gnome keyring. Your user account password is used to encrypt/decrypt that password. Anyone that knows your user account password can access all passwords stored in Gnome keyring.
In theory, if your disk is not encrypted, anyone with physical access to the machine can reset the root password, set an account password and access the passwords stored.

It’s on you to decide how safe that is.

As far I know, there is no Gnome onedrive client, and the MS account information is only used to fetch your MS emails.

1 Like

This is for fetching emails just like you see in android. And you need a email client for that. Which should be installed as rpm geary or evolution.

I thought that you must know the old password to change the keyring’s password to a new one? Handled automatically when the user dhanges password.
So i think you can not hack into the keyring from cold right?

1 Like

that seems right.

The keyring password is independent of the user password. Usually you set both the same to unlock at login instead of unlocking the keyring separately. So no even with physical access, if you remove the user password the keyring password will remain.

Anyways encrypt your whole system with LUKS for maximum security.

Thanks for the replies. It turns it out it doesn’t do what I had hoped anyway. Sadly I think I am going to go back to Windows. I had hoped the built in MS account sync with Fedora was also for OneDrive but as it isn’t I wouldn’t be comfortable installing a third party client and having to hand over my MS username and password to it.

Did you try rclone or the onedrive Linux client?
Links:

I personally use the second one to sync my Uni’s OneDrive.

Technically the Gnome sync option is also a third party since it isn’t “official”. If you don’t trust third parties at all then you have to use Windows for this unfortunately.

1 Like

Thanks but as I said I would never put my trust in third parties to have my MS credentials. Absolutely no chance.

I had considered switching to a different cloud storage solution but they are more expensive and I would lose Office apps (and personally I don’t like any of the alternative office apps)

The client obtains an access token that lets it access your drive. This token is stored on your device not the third parties, so don’t worry the developers won’t access your drive.

You can think of it the same way when you login to your account from your browser. It gets a token and stores it (as a cookie I think), then it uses the token to log you in.

Rclone can store your token in an encrypted form and ask for a password to decrypt it.

3 Likes

I’d be careful with my data being kept by third parties like MS. As for third party OneDrive clients on linux, if they are open source, then their source code can be analysed, you can even compile it on your own, to make sure nothing was added to it. Do you get same confidence in what MS does with your data? If you have commercial license, then privacy policy and terms of service might be better than for free account, but did you even read any of that? Do you know whether your data isn’t scanned, analysed or used to train some neural networks?
With third party tools you can at least easily encrypt your data before sending it to the cloud (out of MS control) Feature Request: Option to encrypt files in the cloud · Issue #1023 · abraunegg/onedrive · GitHub (workaround, but working).

3 Likes

As Flo said, there is no Linux OneDrive client, which is really a shame. You can access your files on OneDrive through the web interface, but that is less useful and convenient than a real OneDrive client.

1 Like

I use a client called onedriver and it works quite well for me. IMO it is integrated nicely into the file manger where it appears as an external storage device.
And I know it does not answer the actual question but it might still be of interest to someone.

As far as OneDrive goes, Microsoft isn’t a “third party.” Its their cloud service. As Jon Brown pointed out above, I think its far more risky to trust your Microsoft Account login and password to some entity you don’t know anything about who created a OneDrive client on their own. Who knows that they are able to access? The ideal solution is a Microsoft OneDrive client for Linux. Edge may exist for Linux users, but I doubt that really useful software like Outlook, OneNote and OneDrive will ever exist for Linux.

Atleast for OutLook it is usable from the browser. That’s what I do to read company email and calendar. It works well enough. I do not use OneNote of OneDrive so no eperience there.

I understand the concern. However you are not providing your username/password to the client (speaking about the one I use), it gives you a link to microsoft’s login page that requests access to OneDrive only, you login from the browser and get the response URI. Give that (the URI) to the client and it gets read/write access to OneDrive only, not all of your MS account. (And of course the URI is stored locally).

Anyways the clients are open source and even in the Fedora repo, I don’t think it is malicious.

2 Likes

I did some research and found that there is an active project on github “OneDrive Client for Linux” GitHub - abraunegg/onedrive: OneDrive Client for Linux

It has been packaged for Fedora.

sudo dnf install onedrive

I have not used this package, do not have a onedrive account.

Might have been more clear, but I meant MS as a third party in linux world. It’s a black box with bad history… Nobody here suggests providing MS credentials on some shady website.

That’s exactly my concern about MS.

Linux is a way to escape software spying on you, why contaminate it with evilcorp’s binaries with unknown and unverifiable functionality? :man_shrugging:

1 Like

In the case of onedrive the code is open source not a microsoft binary.

I guess you meant that onedrive:

And I was answering quoting this:

Even if MS makes official open source OneDrive client (or you use some unofficial open source client), MS still have unlimited access to user data on their servers.
You can encrypt the data before sending it (I mentioned it before), but another problem arises: how advanced are they with quantum computing, that modern encryption doesn’t stand a chance to?