How to manage passwords in a snap

I’m working on a snap that will need encrypted files supplied as after the snap is installed, (e.g. the encrypted files are not part of the snap). Those encrypted files should be located in a keystore-path.

The snap runs a service, which needs a password + the files located in the keystore-path to start. The password lives in a password-file

The startup looks something like this:

./foobar-bin --password-filename /opt/password-file --keystore-path /opt/

I’m looking for some advice and/or examples on how to implement this within a snap context.

  • How to supply/make accessible the encrypted files in the keystore-path?
  • How to get a password into a password-filename accessible to the snap service - in a secure way? Possibly by some facility available in the snap world?

Any advice here is welcome.

Ideally, I would be able to use some facility to keep the password inside the “password-file” even safer. But that’s a bonus I guess.

Code inside Snap can only access files in writable directory /var/snap/SNAPNAME/common/ , not any directory above it.

This is when Snap has strict confinement. (If it is --classic snap, it can write to other directories).

Some examples of managing settings here:

How does this relate to the $HOME/snap/ directory for users?

@lonroth

I would presume that only classic snaps can access $HOME/snap/ . But I have not read snapcraft source code, so I don’t know is this true or false.

For files at /var/snap/SNAPNAME/common/* , in strict sandbox it’s possible to write to that * directory with some programming language.

@lonroth

About keeping passwords etc encrypted. I presume Snap itself does not have integrated encrypted keychain currently.

Some encryption and security options are discussed here:

Also this software has a way to encrypt database:

Related Ansible Vault:

In fact $HOME/snap/<snapname>/current is the snaps home, all snaps can access this via the $SNAP_USER_DATA variable and $HOME will by default point to this directory at runtime. current is a symlink to a versioned directory, so that if you roll back and forth your snap revision (using snap revert and snap refresh), your $HOME will always find the exact data for the particular version.

Equivalently $SNAP_USER_COMMON points to $HOME/snap/<snapname>/common which is unversioned and should hold payload data of your snap that you do not want duplicated by version.

/var/snap/<snapname>/current and /var/snap/<snapname>/common are the system level equivalents to this (but only root writable since they live in /var where normal users can not write) and can be accessed through the $SNAP_DATA and $SNAP_COMMON variables.

1 Like