Hi, I’m making a snap for ubuntu core, and from snap-layouts I can’t find if there is any good location for snaps to put sensitive data, that shouldn’t be readable by other users or other snaps.
I first just tried . but that is not writable by code in the snap, is that correct?
Is there a recommended place to store sensitive files?
there are four locations that a snap may store files that are not accessible to other Snaps. on Ubuntu core two of those are the most pertinent for background services: $SNAP_DATA and $SNAP_COMMON (the other two being $SNAP_USER_DATA and $SNAP_USER_COMMON, which are specific to each user that invokes your app). You can use either, but should make sure you understand the difference between the _DATA and _COMMON variants: _DATA is copied each time your snap is updated to a new revision so that if the user reverts the snap to an earlier revision they will also be reverting the saved data to that point in time. The _COMMON variants are not version-managed in any way, so each revision will see the same files, and if your snap is reverted the user won’t be reverting any changes to the saved data, which might be breaking things.
Thanks a lot for the info 
So when I try to write to the common dir, I get ‘Permission denied’.
Tested it with a simple command:
apps:
mytest:
command: echo "bla" > $SNAP_COMMON/bla.txt
I currently have:
grade: stable
confinement: strict
And installed with: sudo snap install --devmode.
Is there an interface that i missed? I looked at other yamls and through the interfaces, but couldn’t find anything.
Note that SNAP_COMMON is only writeable by root. The Environment Variables docs explain what the permissions and use is for each location.
Ah, silly of me, didn’t even notice the missing USER in the variable name.
Sorry, and thanks!