WARNING: SecureString (without -secure/key) is not encrypted on non-windows platforms! See: https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netcore-2.1#HowSecure

However, SecureString is still more secure than System.string

• Memory pinning - not swapped to memory, only single copy in ram
• uses a mutable byte array
  • Can be cleared after use
  • Decrypting values from blob also returns bytes, perhaps these can be turned directly into AES Secured strings
    • How to handle RSA Shared keys
• ConvertFrom-SecureString

Also, as far as I can tell, the fields are decrypted in memory in lastpass-cli and other ports. I imagine they have to be decrypted to be searched in the lastpass extension as well. Passwords generally have to be decrypted at some point anyway, granted they are generally exposed 1 at a time.

Alternatives:

• SecureString with key

  $Key = [Byte[]] 1..16; 'Test'|ConvertTo-SecureString -A -F | ConvertFrom-SecureString -Key $key | ConvertTo-SecureString -Key $Key

  • How to protect the key?

• SQLCipher database/hashicorp vault/external service

  • external dependency
  • Still need to manage key
  • Provide as an option (later on)

Attack vectors:

• Physical access
  • encryption alone likely not enough anyway; can install keylogger, dump all memory, get access to certificate stores, brute force user password
  • As usual, all bets are off
• malware/software access to memory
  • If you're able to read any memory location, you can likely brute force access to the encryption key eventually.
    • There is generally less payoff for more work in grabbing all the secrets of a single person, would rather attack a specific high-value target (ie. Target, City governments)

Further Reading

• https://blogs.msdn.microsoft.com/shawnfa/2004/05/27/making-strings-more-secure/
• https://stackoverflow.com/a/41192547
• https://poshsecurity.com/blog/2011/9/30/encrypting-a-string-using-certificates-and-powershell.html