-
Notifications
You must be signed in to change notification settings - Fork 0
Security
This guide covers security features, best practices, and security architecture of Chat Linux Client.
- Overview
- Security Features
- API Key Security
- Data Encryption
- Network Security
- Privacy Features
- Security Best Practices
- Security Auditing
Chat Linux Client is designed with security and privacy as core principles:
- No telemetry: No data collection or analytics
- Local-first: Data stored locally
- Encryption: Optional encryption for sensitive data
- HTTPS-only: All API communications use HTTPS
- Open source: Fully auditable code
Chat Linux Client collects zero telemetry data:
- No usage statistics
- No crash reports
- No analytics
- No user tracking
- No phone home
All data is stored locally on your machine:
-
Configuration:
~/.config/chat-linux-client/ -
Chat history:
~/.local/share/chat-linux-client/ -
Logs:
~/.local/share/chat-linux-client/logs/
Data is never sent to external servers except for AI API requests.
All API communications use HTTPS with certificate validation:
# aiohttp with SSL verification
async with aiohttp.ClientSession() as session:
async with session.post(url, ssl=True) as response:
# Process responseAll user inputs are validated before processing:
- API key format validation
- Model name validation
- Configuration validation
- Path traversal prevention
API keys are encrypted using Fernet symmetric encryption:
from cryptography.fernet import Fernet
# Generate encryption key
key = Fernet.generate_key()
cipher = Fernet(key)
# Encrypt API key
encrypted = cipher.encrypt(api_key.encode())
# Decrypt API key
decrypted = cipher.decrypt(encrypted).decode()Encryption keys are derived from passwords using PBKDF2:
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=480000,
)
key = base64.urlsafe_b64encode(kdf.derive(password.encode()))Encrypted keys are stored at:
~/.config/chat-linux-client/api_keys.enc
Set a password for key encryption:
# Environment variable
export CHAT_CLIENT_PASSWORD=your_password
# Or through settingsWithout a password, a local fallback key is used (less secure).
API keys are validated before use:
def validate_key_format(provider, api_key):
validators = {
"openai": lambda k: k.startswith("sk-") and len(k) >= 20,
"groq": lambda k: k.startswith("gsk_") and len(k) >= 20,
"openrouter": lambda k: k.startswith("sk-or-") and len(k) >= 20,
}
return validators[provider](api_key)Enable encryption for chat history:
- Open Settings
- Navigate to Privacy tab
- Enable "Encrypt Chats"
- Set a password
- Click Save
Important: Remember your password. Lost passwords cannot be recovered.
Chat history is encrypted using SQLite encryption extensions:
# Encrypt before storing
encrypted_data = cipher.encrypt(chat_content.encode())
# Store in database
cursor.execute("INSERT INTO messages (content) VALUES (?)", (encrypted_data,))
# Decrypt when retrieving
decrypted_data = cipher.decrypt(encrypted_data).decode()Sensitive configuration can be encrypted:
# Encrypt sensitive fields
config["api_key"] = encrypt(config["api_key"])
# Save encrypted config
save_config(config)All API requests use HTTPS:
base_urls = {
"openai": "https://api.openai.com/v1",
"groq": "https://api.groq.com/openai/v1",
# All URLs use HTTPS
}SSL certificates are validated by default:
# Certificate validation enabled
session = aiohttp.ClientSession()No intermediate proxy servers are used. Direct connection to provider APIs.
Security headers are included in requests:
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
"User-Agent": "Chat-Linux-Client/1.0.0"
}Using Ollama local models ensures:
- Data never leaves your machine
- No network requests
- Complete privacy
- No API costs
Chat Linux Client does not:
- Store data on cloud servers
- Share data with third parties
- Use data for training
- Retain data beyond local storage
Delete data on exit:
- Open Settings
- Navigate to Privacy tab
- Enable "Delete API Keys on Exit"
- Enable "Clear Chat History on Exit"
You have full control over your data:
- Export chat history anytime
- Delete specific chats
- Clear all history
- Backup encrypted data
- Never share your API keys
- Rotate keys regularly
- Revoke unused keys
- Use environment variables when possible
- Enable encryption for key storage
- Use strong passwords for encryption
- Don't reuse passwords
- Store passwords securely
- Remember encryption passwords (cannot be recovered)
- Use secure networks for cloud API calls
- Avoid public WiFi for sensitive conversations
- Keep software updated
- Use VPN if needed
- Download from trusted sources (Ollama)
- Keep models updated
- Verify model integrity
- Use local models for sensitive data
- Never hardcode secrets in code
- Use environment variables
- Add secrets to .gitignore
- Validate all inputs
- Use secure storage APIs
- Keep dependencies updated
- Review security advisories
-
Use
pip-auditto check vulnerabilities - Pin dependency versions
- Review third-party code
- Follow secure coding practices
- Use type hints
- Handle errors properly
- Sanitize user inputs
- Use parameterized queries
- Write security tests
- Test edge cases
- Test encryption/decryption
- Test input validation
- Perform security reviews
Regular security reviews should cover:
- API key handling
- Encryption implementation
- Input validation
- Error handling
- Network security
Scan for vulnerabilities:
pip-auditUse static analysis tools:
# Bandit for security issues
bandit -r .
# Safety for dependency vulnerabilities
safety checkTest for:
- SQL injection
- XSS (if web interface added)
- Path traversal
- Command injection
- Buffer overflows
Encryption passwords cannot be recovered. If lost:
- Encrypted data is inaccessible
- Must delete encrypted files
- Start fresh with new password
Without a password, a local fallback key is used:
- Less secure than password-based encryption
- Key is stored on the machine
- Consider setting a password for better security
When using cloud providers:
- Data is sent to provider servers
- Subject to provider's privacy policy
- Provider may store data temporarily
- Review provider's security practices
- Update application regularly
- Review changelog for security fixes
- Update dependencies
- Monitor security advisories
If you find a security vulnerability:
- Do NOT open a public issue
- Email: security@example.com
- Include details and reproduction steps
- Allow time for fix before disclosure
- Set encryption password
- Enable chat encryption (optional)
- Review privacy settings
- Understand data storage locations
- Configure API keys securely
- Rotate API keys periodically
- Update application
- Update dependencies
- Review security settings
- Clear unnecessary chat history
- Use local models (Ollama)
- Enable chat encryption
- Use strong encryption password
- Disable cloud providers
- Clear data after use