Is it possible to start the flatpak daemon at startup?

[peterc-s]

I am using cinnamon so I can run commands upon startup or with a delay, I want to be able to just go straight to unlocking with biometrics (rather than pin) when I try to unlock my browser extension vault - is this possible currently?

[quexten]

Well, on boot a key needs to come from somewhere. Biometrics only provide "yes/no" as a result, not a cryptographic key, so currently you need to enter the pin once on boot.

Depending on your threat model, it could be loaded from the keystore on boot. This slightly weakens security since the whole unsandboxed userspace has access to the keystore, but depending on your threat-model, this can be acceptable.
I'm not sure whether this should be a core feature of goldwarden itself, or if it should just be scriptable, i.e something like: "secret-tool lookup app goldwarden | goldwarden vault unlock --stdin" on boot.

Much more complicated architectures involving the TPM, that would not need the keystore, are technically possible, but should probably be done on os/desktop level, i.e flatpak/xdg-desktop-portal#1275

[peterc-s]

Ah, that's fair enough, I probably won't then. Just a feature from Windows which I kind of miss sometimes - don't know how they implemented it though.

[quexten]

Depending on how apps implement it they can have a similar issue. In older versions Bitwarden Desktop stored a biometric secret protected by authorization (yes/no) in the windows credential store, which could be dumped by other apps.

These days, they use a secret derived from a windows hello key, which can still be snooped, but requires active involvement of the user (i.e a windows hello prompt triggered by a malicious app).

Internally, I would guess windows uses the TPM at the OS layer to protect and persist secrets between boots, and then has them in some protected process during runtime. On Linux, these facilities just don't exist yet on the desktop level.

[peterc-s]

Ooh, I didn't know that - I mean TPM isn't safe from hardware hacking nowadays but I personally am not too worried about that. Still though, major improvement being able to use biometrics, means I can finally turn my vault to auto lock more frequently and don't have to worry about typing out my password a bunch.