Qt World Summit: Submit your Presentation

Qsettings secure?

  • Hi all,
    maybe this will sound trivial, but is there a way to store QSettings in a secure way? For instance, in eclipse rcp there are secure-settings that are stored cyphered with a user prompted password. Does something alike exist in qt?

  • You can "use QSettings":http://developer.qt.nokia.com/wiki/How_to_Use_QSettings and store encrypted values with a symmetric-key algorithm to ensure security of your app. Of course you will have to decrypt each value after reading it.

  • Andres "SimpleCrypt":http://developer.qt.nokia.com/wiki/Simple_encryption might be a good start. There is also "QCA ":http://delta.affinix.com/qca/ and Qt Creator for example uses "botan":http://botan.randombit.net/.

  • Btw several years ago I had a common issue and I used "OpenSSL cryptographic library":http://www.openssl.org/docs/crypto/crypto.html. This library offers implementation of the most popular and reliable algorithms and good documentation.

  • With QSettings, you will have to either create your own engine for it (not trivial, I found out), or limit yourself to encrypting only the values and not the keys, and limit yourself to not using the more advanced features of QSettings for things like arrays. That sounds rather limiting and brittle to me, and it still gives away information on what is stored.

    If you are interested in securely storing settings, I would not rely on QSettings. Instead, I would probably go for a solution where I create a binary file with settings, using QDataStream. The binary blob resulting from that can then be encrypted and stored.

    The "SimpleCrypt":http://developer.qt.nokia.com/wiki/Simple_encryption class Lukas mentioned may help you with that final encryption, but do not mistake it for strong encryption. I should know: I wrote it :-) If you want something more strong, use OpenSSL or some other well tested and well designed library by crypto experts instead, and make sure you understand the pitfalls in using them (there are many!) However, if you just want to shield the blob with settings from curious eyes, then SimpleCrypt may be just what you need.

Log in to reply