Key for chromium's encrypted cookies store in Linux is “peanuts”

This is misleading. If you follow the links to the Chromium bug tracker, you&#x27;ll note that Chrome integrates with the GNOME and KDE encrypted password managers when they&#x27;re available. If they&#x27;re not, it falls back to storing passwords itself with obfuscation, which is the best it can do. (On Windows and OS X, it uses CryptProtectData and the Keychain API, respectively.)<p><a href="https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;wiki&#x2F;LinuxPasswordStorage" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;chromium&#x2F;wiki&#x2F;LinuxPasswordStorage</a>

I guess a lot of others are also wondering, &quot;What&#x27;s the point?&quot;<p>If an attacker can read the file the cookies are stored in, you have already lost.<p>It even mentions &quot;obfuscation&quot; - which might be a <i>slight</i> obstacle if this was closed-source - but Chromium is open-source.

Some more details from the source:<p>Password is: &quot;peanuts&quot; Salt is: &quot;saltysalt&quot; Algorithm used: AES-128-CBC The number of KDF iterations is: 1<p>Edit: Indicate that no. of iterations is for the Key Derivation Function

Well without having a user-specified master password like firefox has, you&#x27;re bound to use some &quot;pseudosecret&quot; keys.

&quot;ksalt - at least salt is a variable, surely it at least is randomly generated, right?&quot;<p>&gt; &#x2F;&#x2F; Salt for Symmetric key derivation.<p>&gt; const char kSalt[] = &quot;saltysalt&quot;;

In related news, if you don&#x27;t have a key and a lock, you cannot really lock a door.

I haven&#x27;t looked at the caller code but are you sure that only the cookie code is using this function? The function looks pretty generic and it might be used somewhere else as well...

Linux -&gt; Linus -&gt; (Charles Schultz) Peanuts-&gt; peanut?

Well, atleast it goes well with the salt.

mmmmhhhh. Salted peanuts