Securing Flatpak apps storage (Signal Desktop)

Signal Desktop stores the encryption keys of your messages in Plain text.

It has to, because desktops, unlike modern Android phones, dont even always have a TPM.

It is critical that desktops and operating systems integrate TPM storage in these areas, but until then… how to encrypt signals app storage?


Flatpaks save their storage separated, and not accessible by other flatpaks, in ~/.var/app.

But other system apps/programs/binaries are not affected, so it is still incomplete.

A solution could be to encrypt the ~/.var/app/org.signal.signal storage somewhere, and unlock and link it to the location where the app can access it.

This could be TPM integrated, but until then a GUI password prompt when launching the app would be enough for me.

I would edit the desktop entry and use some tool to do this. Poorly Cryptomator has no CLI, so gpg could be used.

1 Like

:rage: :face_with_symbols_over_mouth:

Let’s just all use Dino

1 Like

Or Flare for Signal!