In just the past two days all of a sudden when I click the Brave icon to open it on my 2018 MacBook Air I get this warning from Apple. “Brave browser wants to use your confidential information stored in Brave Safe Storage in your keychain”. Have never seen this before. Never. Would like to know what the heck it means and should I click allow or deny. I do not store any of my passwords in keychain. I am using Brave 1.18.75 and running Mac OS 10.14.6
Description of the issue: How can this issue be reproduced?
Read the tweet that you linked to here in the Brave Community. I would still appreciate a full explanation of what exactly “Brave Safe Storage” is and what role it plays in the functioning of the browser. I have never used the keychain on my MacBook Air to store passwords–never–and I have no idea what my keychain password even is both on my computer and on Brave. Brave has been my alternative to Safari for a number of years now and I have very much appreciated its speed, its security, its built in add blocking and other features (the best browser for Mac in my opinion). However, if this issue persists, I can assure you that I and many other users I know will either be going back to Safari or installing Firefox or Vivaldi or even the dreaded, resource hog Chrome as a principle browser on a Mac. Hope to hear back from you. Thanks in advance for your attention
Brave asks macOS to create a cryptographic key; this key is stored in the Keychain. Brave uses this key to encrypt things like passwords and more when saving them to the user’s profile directory. This way, if somebody were to get their hands on your profile data, they couldn’t do anything with it (because it was encrypted with a key stored in your keychain). When you first installed Brave, you had to grant permission as well.
The key stored in “Brave Safe Storage” (the name itself should give you some confidence) is associated with a older identifier for the Brave Browser. Imagine meeting an old friend who now goes by a different name. That’s what happened with Brave in the 1.18.75 build, we used a new certificate, so macOS doesn’t just hand over the encryption key when the browser asks. Instead, the user is prompted and asked if they trust Brave to access the key stored in Brave Safe Storage.
Many thanks for your prompt and informative response to my questions. However, I am still a bit confused. You wrote, “Brave asks macOS to create a cryptographic key; this key is stored in the Keychain. Brave uses this key to encrypt things like passwords and more when saving them to the user’s profile directory.” The only sites I ever sign on to with a username and password when I am using Brave are my gmail accounts, youtube and sometimes my Amazon account and NYT subscription; when I have finished I just sign out. Are the passwords for these sites stored in “Brave Safe Storage” and if so why? Also, I am not aware of any “profile directory” connected to Brave since I do not sign in to Brave I just open it, proceed with whatever browsing I need to do and then close it. My apologies for all of these questions. I am not a young guy and appreciate your patience. Thanks.
Brave creates a 128-bit password when you install the browser. This password is not shown to the user; it is used to encrypt files on behalf of the user. The password (which again, belongs to the browser) is stored in macOS’ Keychain vault. Brave stored it there when you installed the browser, using the name “Brave Safe Storage”.
That password is used to encrypt files in your Brave profile folder. This way, if somebody were to get access to your files, they would only get the encrypted versions. They would need to know the password stored in your Keychain to decrypt the files.
The profile directory itself exists in ~/Library/Application\ Support/BraveSoftware/. This is where Brave stores files on your behalf; files like bookmarks, Rewards information, and more. Your passwords across various sites are not stored in Brave Safe Storage. They’re stored in the Brave folder mentioned above, and encrypted using Brave’s password from Brave Safe Storage. So the only thing Brave has in Brave Safe Storage is it’s encryption key.
I get your reply, to a point. I don’t feel comfortable with the explanation nor am I willing to allow Brave access to Keychain without more information and proof. Sorry. I’ve been supporting Brave for two years now, spreading the good word, but this is shady. I don’t have any real proof, I just feel like it.
Thanks again for a very prompt and informative message; Brave customer service seems to be excellent. Still not totally certain I understand everything about this issue but nevertheless I clicked “always agree” on the Apple warning so now I will not have to look at it again. Hope you and everyone on the Brave team have a nice holiday (or as nice as it can be in current circumstances). Keep up the good work!
The value is called “Brave Safe Storage,” because Brave created it when you installed the browser. There’s no data in there beyond a single random password generated by Brave. This password is used to encrypt files in the Brave directories on your hard drive (so that nobody can access your data if they happen to get access to your filesystem). You are free to not grant Brave access to its own encryption key, but Brave will not be able to log you into sites, save passwords, operate Brave Rewards and more as a result.
Happy to hear we’re making a positive impact As noted elsewhere, this grants Brave access to “Brave Safe Storage,” which holds a randomly-generated password, which was created by Brave when you installed the browser. There’s no other data. This password is used to encrypt files in the Brave folder on your computer. Without access, Brave largely fails to work. Rewards would cease to function properly, you wouldn’t be able to log into websites, and more.
As noted elsewhere, this grants Brave access to “Brave Safe Storage,” which holds a randomly-generated password, which was created by Brave when you installed the browser. There’s no other data. This password is used to encrypt files in the Brave folder on your computer. Without access, Brave largely fails to work. Rewards would cease to function properly, you wouldn’t be able to log into websites, and more.