Security News > 2024 > July > Signal downplays encryption key flaw, fixes it after X drama
Signal is finally tightening its desktop client's security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018.
"The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide," responded the Signal employee.
Last week, mobile security researcher Tommy Mysk again warned on X not to use Signal Desktop because of the same security weakness we reported on in 2018.
While the solution would provide additional security for all Signal desktop users, the request lay dormant until last week's X drama.
While the new safeStorage implementation is tested, Signal also included a fallback mechanism that allows the program to decrypt the database using the legacy database decryption key.
"In addition to migrating to encrypted/keystore-backed local database encryption keys on supported platforms, our implementation also includes some additional troubleshooting steps and a temporary fallback option that will allow users to recover their message database using their legacy database encryption key if something goes wrong," explained Signal developer Jamie Kyle.