(Since the Signal Desktop devs clearly won't listen to its users*, we're stuck doing hacky shit like this...)
This script provides you with the missing local storage-encryption feature in Signal Desktop using VeraCrypt.
It basically just creates an encrypted volume, moves your Signal data to it, symlinks the original data dir to the encrypted volume and creates a laucher that will prompt you for your password, unlock the volume, run Signal and unmount the volume again as soon as Signal exits.
Then just run the launcher instead of Signal and pretend the password prompt is a Signal feature.
It's kinda hacky but it works pretty well.
Tested on Debian 11 and MacOS 12.5.
NOTE: (For MacOS) - There's a binary blob in launcher.tar.gz. It's an 'Automator Application Stub' used to run an Automator workflow as a MacOS app (for the launcher). If you're paranoid (which you should be), you can make your own or just compare it to this binary:
- Open Automator
- New -> Application
- (leave it blank)
- Save the .app
- Binary is located at "theappyoujustsaved.app/Contents/MacOS/Automator Application Stub"
(If anyone has a better idea on how to create the .app on MacOS, please don't hesitate to open an issue or a PR)
privacytools/privacytools.io#1789 – Add warning that Signal stores attachments unencrypted and messages unsafely on desktop
signalapp/Signal-Desktop#2815 – All exported data (messages + attachments) are NOT encrypted on Disk during (and after) the upgrade process!
signalapp/Signal-Desktop#4042 – encrypted db.sqlite encryptable, hence conversations interceptable
signalapp/Signal-Desktop#5751 – Signal Desktop stores all received attachments unencrypted on filesystem
signalapp/Signal-Desktop#5703 – Desktop app does not support protected storage
signalapp/Signal-Desktop#1017 – Messages are stored in plain text and not encrypted locally
signalapp/Signal-Desktop#452 – Add option to lock the application
signalapp/Signal-Desktop#1318 – What is stored on the pc and where?
signalapp/Signal-Desktop#2793 – The attachments should be encrypted at rest on the drive
signalusers.org/t/improve-security-of-desktop-apps-encryption-of-data-at-rest –
Improve security of desktop app’s encryption of data at rest
signalusers.org/t/lock-the-desktop-app-with-a-password –
Lock the desktop app with a password
signalusers.org/t/securety-pin-on-desktop –
Securety PIN on Desktop