Does Wire use encryption-at-rest?
Does Wire employ encryption of data at rest?
I generally consider Signal and Wire to be the best tools today for sending information privately between two parities. Both meet the marks on crypto, open-source, 3rd party audits, PFS via the double-ratchet algorithm, etc.
Personally, I prefer Wire because it doesn't require a phone number and you can install it on Linux, Windows, MacOS, Android, or iPhone. So you can put it on TAILS or Whonix or a burner phone or some sandboxed VM.
But today I was searching through Wire's website, and I was surprised that I didn't see any information on their "security" page about encryption-at-rest.
In most cases, I'd have FDE anyway -- but in the off-chance that the person I'm communicating with doesn't have FDE, I want to make sure that my messages wouldn't be stored in plaintext on their HDD when they retire their device.
Does Wire store all of its data encrypted-at-rest?
It appears that Wire does not itself encrypt all of its data at-rest. In fact, in their security whitepaper, the explicitly state that their users should employ FDE because of this. Wow.
From their security whitepaper:
7.2 Local data protection
Wire apps store the content of conversations such as text messages, imagesand other assets locally on the device. Depending on the platform, differentprotection mechanisms exist:
iOS: Local data is stored using Core Data and in files (both protectedin with NSFileProtectionCompleteUntilFirstUserAuthentication). Con-versation content, cryptographic key material and other sensitive data isnot synced with iCloud or iTunes backups. Local data can only be ac-cessed from the Wire app, it is inaccessible to other apps thanks to theiOS sandboxing.
Android: Local data is stored using SQLite and in files. Conversationcontent, cryptographic key material or other sensitive data is not syncedwith Android Backup Service. The local data can only be accessed fromthe Wire app, it is inaccessible to other apps thanks to the Android per-missions. The app sometimes keeps cached data (i.e. downloaded im-ages) on the external storage (SD card). Those files are encrypted usingAES128, each file uses a different random key which is stored in the privatedatabase.
Desktop clients: Local data is stored using IndexedDB. The data is storedin the user’s folder. It is strongly recommended to use full disk encryptionlike FileVault on macOS or Bitlocker on Windows.