Securing Flatpak apps storage (Signal Desktop)

Signal Desktop stores the encryption keys of your messages in Plain text.

It has to, because desktops, unlike modern Android phones, dont even always have a TPM.

It is critical that desktops and operating systems integrate TPM storage in these areas, but until then… how to encrypt signals app storage?


Flatpaks save their storage separated, and not accessible by other flatpaks, in ~/.var/app.

But other system apps/programs/binaries are not affected, so it is still incomplete.

A solution could be to encrypt the ~/.var/app/org.signal.signal storage somewhere, and unlock and link it to the location where the app can access it.

This could be TPM integrated, but until then a GUI password prompt when launching the app would be enough for me.

I would edit the desktop entry and use some tool to do this. Poorly Cryptomator has no CLI, so gpg could be used.

1 Like

:rage: :face_with_symbols_over_mouth:

Let’s just all use Dino

1 Like

Or Flare for Signal!

what is Flare for Signal ???

Check on flathub

Thanks.
But , as I see, Flare is unofficial.

Yes and I also saw how this is completely off topic XD

Signal desktop btw has native encryption now, afaik. This should solve it.

"By default, Signal is being launched with the filesystem=host option to allow access to the host filesystem.
This is currently required because Electron decided to break the portals (temporarily):
See flathub/org.signal.Signal#719 and electron/electron#43819

If you disagree with host filesystem access, please use Flatseal (or the commandline) to restrict the permissions
to the only those directories you want Signal to be able access for reading and writing files.

Press Yes to proceed with filesystem=host or No to exit.

If you manually changed the permissions with Flatseal already, you can press Yes to continue"

What do we need to
type in the terminal
in order to restrict these permissions,
before pressing yes ???

Use Flatseal or KDE Settings and allow Signal access to whatever you need.