A number of plugins have been written for the framework which provide a variety of functionality for clients to use. Most clients should use the platform default plugins when writing their applications, as these will provide the most consistent and secure experience.

Device vendors and trusted partners may wish to provide their own plugins, and some applications may wish to specifically use those plugins.

Default Crypto Plugins

Currently, there are two Sailfish OS Crypto plugins shipped by default:

• org.sailfishos.crypto.plugin.crypto.openssl
• org.sailfishos.secrets.plugin.encryptedstorage.sqlcipher

The first plugin provides implementations of common cryptography functionality by calling the OpenSSL library functions internally.

The second plugin shares its cryptography implementation with the first plugin, but also provides block-level encrypted secure storage of collections of secrets, using the SQLCipher library for its database operations. Thus it is both a Sailfish::Crypto::CryptoPlugin and a Sailfish::Secrets::EncryptedStoragePlugin, also known as a Crypto-Storage plugin.

Note that neither of these plugins use TEE/TPM or other secure-hardware to implement the cryptographic functionality.

Which Plugin Should My Application Use?

We recommend that the system default Crypto-Storage plugin be used where possible. In most cases, this will be the "org.sailfishos.secrets.plugin.encryptedstorage.sqlcipher" plugin.

The following snippet shows an example of using the default crypto storage plugin to create a symmetric key, and store it in an encrypted database managed by that same plugin:

 // Set the key template metadata.
 Sailfish::Crypto::Key keyTemplate, symmetricKeyReference;
 keyTemplate.setAlgorithm(Sailfish::Crypto::CryptoManager::AlgorithmAes);
 keyTemplate.setSize(256);
 keyTemplate.setOrigin(Sailfish::Crypto::Key::OriginDevice);
 keyTemplate.setOperations(Sailfish::Crypto::CryptoManager::OperationEncrypt
                          |Sailfish::Crypto::CryptoManager::OperationDecrypt);

 // Set the identifier for the key.
 // This assumes the existence of an "ExampleCollection" secure storage
 // collection, in which the key will be stored.
 // See Sailfish::Secrets::CreateCollectionRequest.
 keyTemplate.setIdentifier(
         Sailfish::Crytpo::Key::Identifier(
                 QStringLiteral("ExampleKey"),
                 QStringLiteral("ExampleCollection"),
                 Sailfish::Crypto::CryptoManager::DefaultCryptoStoragePluginName));

 // Ask the system service to generate and store the key securely.
 Sailfish::Crypto::CryptoManager cm;
 Sailfish::Crypto::GenerateStoredKeyRequest generateRequest;
 generateRequest.setManager(&cm);
 generateRequest.setKeyTemplate(keyTemplate);
 generateRequest.setCryptoPluginName(Sailfish::Crypto::CryptoManager::DefaultCryptoStoragePluginName);
 generateRequest.startRequest();
 generateRequest.waitForFinished();
 if (generateRequest.result().code() == Sailfish::Crypto::Result::Failed) {
     qWarning() << "Unable to generate and store symmetric key:"
                << generateRequest.result().errorMessage();
 } else {
     symmetricKeyReference = generateRequest.generatedKeyReference();
 }

Note that this example assumes that the "ExampleCollection" had already been created, via a Sailfish::Secrets::CreateCollectionRequest.

Implementing your own plugin

Please see the documentation for Sailfish::Crypto::CryptoPlugin for more information about implementing your own custom plugin.

An example (skeleton) Crypto plugin without key storage capability may be found at: https://github.com/sailfishos/sailfish-secrets/tree/master/examples/plugins/examplecryptoplugin/

An example (skeleton) Crypto Storage plugin may be found at: https://github.com/sailfishos/sailfish-secrets/tree/master/examples/plugins/examplecryptostorageplugin/