Add option to prevent unencrypted exports

timokoessler · timokoessler · commit 1a9ef6bf36e1 · 2025-03-30T12:49:48.000+02:00
+ Update icon pack
diff --git a/Guard.Core/RegistrySettings.cs b/Guard.Core/RegistrySettings.cs
@@ -128,5 +128,14 @@ int minLength
             );
             return (requireLowerAndUpperCase, requireDigits, requireSpecialChars, minLength);
         }
+
+        public static bool PreventUnencryptedExports()
+        {
+            return GetValue(
+                @"HKEY_CURRENT_USER\Software\Policies\2FAGuard",
+                "PreventUnencryptedExports",
+                false
+            );
+        }
     }
 }
diff --git a/Guard.WPF/Assets/Icons/si.json b/Guard.WPF/Assets/Icons/si.json
diff --git a/Guard.WPF/Core/Export/Exporter/AuthenticatorProExporter.cs b/Guard.WPF/Core/Export/Exporter/AuthenticatorProExporter.cs
@@ -40,6 +40,12 @@ public async Task Export(string? path, byte[]? password)
             var tokenHelpers =
                 await TokenManager.GetAllTokens()
                 ?? throw new Exception(I18n.GetString("export.notokens"));
+
+            if (tokenHelpers.Count == 0)
+            {
+                throw new Exception(I18n.GetString("export.notokens"));
+            }
+
             List<AuthenticatorProBackup.Authenticator> authenticators = [];
 
             foreach (var tokenHelper in tokenHelpers)
diff --git a/Guard.WPF/Core/Export/Exporter/BackupExporter.cs b/Guard.WPF/Core/Export/Exporter/BackupExporter.cs
@@ -33,6 +33,12 @@ public async Task Export(string? path, byte[]? password)
             var tokenHelpers =
                 await TokenManager.GetAllTokens()
                 ?? throw new Exception(I18n.GetString("export.notokens"));
+
+            if (tokenHelpers.Count == 0)
+            {
+                throw new Exception(I18n.GetString("export.notokens"));
+            }
+
             List<Backup.Token> tokens = [];
 
             foreach (var tokenHelper in tokenHelpers)
diff --git a/Guard.WPF/Resources/Strings.en.xaml b/Guard.WPF/Resources/Strings.en.xaml
@@ -194,6 +194,7 @@
     <system:String x:Key="i.page.exportpage">Export tokens</system:String>
     <system:String x:Key="i.export.failed.title">Export failed</system:String>
     <system:String x:Key="i.export.failed.content">An error occurred while exporting:</system:String>
+    <system:String x:Key="i.export.failed.unencrypted">Unencrypted backups are blocked by your administrator</system:String>
     <system:String x:Key="i.export.password">Please enter a password for the backup file</system:String>
     <system:String x:Key="i.export.password.invalid">Please enter a valid password</system:String>
     <system:String x:Key="i.export.backup">Backup</system:String>
diff --git a/Guard.WPF/Views/Dialogs/PasswordDialog.xaml b/Guard.WPF/Views/Dialogs/PasswordDialog.xaml
@@ -13,7 +13,7 @@
     ui:Design.Background="{DynamicResource ApplicationBackgroundBrush}"
     ui:Design.Foreground="{DynamicResource TextFillColorPrimaryBrush}"
     CloseButtonText="{DynamicResource i.dialog.close}"
-    DialogMaxHeight="250"
+    DialogMaxHeight="275"
     IsPrimaryButtonEnabled="True"
     PrimaryButtonIcon="{ui:SymbolIcon ArrowCircleRight24,
                                       Filled=True}"
diff --git a/Guard.WPF/Views/Pages/ExportPage.xaml.cs b/Guard.WPF/Views/Pages/ExportPage.xaml.cs
@@ -27,6 +27,11 @@ private async void Export(IExporter exporter)
         {
             try
             {
+                if (!exporter.RequiresPassword() && RegistrySettings.PreventUnencryptedExports())
+                {
+                    throw new Exception(I18n.GetString("i.export.failed.unencrypted"));
+                }
+
                 if (exporter.Type == IExporter.ExportType.File)
                 {
                     Microsoft.Win32.SaveFileDialog saveFileDialog =
@@ -60,6 +65,7 @@ private async void Export(IExporter exporter)
                             throw new Exception(I18n.GetString("export.password.invalid"));
                         }
                     }
+
                     await exporter.Export(saveFileDialog.FileName, password);
 
                     Wpf.Ui.Controls.MessageBoxResult sucessDialogResult =
diff --git a/docs/advanced.md b/docs/advanced.md
@@ -23,6 +23,21 @@ The default data paths are:
 - Installer version: `%LOCALAPPDATA%\2FAGuard`
 - Portable version: `.\2FAGuard-Data`
 
+### Prevent unencrypted exports
+
+Create a value named `PreventUnencryptedExports` in the path above. The value should be of type `DWORD`. If set to `1`, the application will not allow unencrypted exports of the secrets. The default is `0`.
+
+### Password requirements
+
+Create a subkey named `Password` in the path specified above. The following values can be set:
+
+- `RequireLowerAndUpperCase` (DWORD): Requires at least one lowercase and one uppercase letter in the password. The default is `0`.
+- `RequireDigits` (DWORD): Requires at least one digit in the password. The default is `0`.
+- `RequireSpecialChars` (DWORD): Requires at least one special character in the password. The default is `0`.
+- `MinLength` (DWORD): The minimum length of the password. The default is `8`. Tip: Select decimal as the base for the value in the registry editor when entering the value.
+
+Please note that the password requirements are only enforced when creating a new password. If you change the requirements after a password has been set, the new requirements will not be enforced for the existing password.
+
 ### Modify setup
 
 Create a subkey named `Setup` in the path specified above. The following values can be set:
@@ -40,12 +55,3 @@ Create a subkey named `Settings` in the path specified above. These keys can be
 - `HideWinHello` (DWORD): If set to `1`, the settings page will not show the Windows Hello settings. The default is `0`.
 - `HidePreventRecording` (DWORD): The settings page will not show the option to prevent screen recording if set to `1`. The default is `0`.
 - `HideSecurityKey` (DWORD): If set to `1`, the settings page will not show the security key (WebAuthn / FIDO2) settings. The default is `0`.
-
-### Password requirements
-
-Create a subkey named `Password` in the path specified above. The following values can be set:
-
-- `RequireLowerAndUpperCase` (DWORD): Requires at least one lowercase and one uppercase letter in the password. The default is `0`.
-- `RequireDigits` (DWORD): Requires at least one digit in the password. The default is `0`.
-- `RequireSpecialChars` (DWORD): Requires at least one special character in the password. The default is `0`.
-- `MinLength` (DWORD): The minimum length of the password. The default is `8`. Tip: Select decimal as the base for the value in the registry editor when entering the value.

Original file line number	Diff line number	Diff line change
`@@ -128,5 +128,14 @@ int minLength`
`128`	`128`	`);`
`129`	`129`	`return (requireLowerAndUpperCase, requireDigits, requireSpecialChars, minLength);`
`130`	`130`	`}`
	`131`	`+`
	`132`	`+ public static bool PreventUnencryptedExports()`
	`133`	`+ {`
	`134`	`+ return GetValue(`
	`135`	`+ @"HKEY_CURRENT_USER\Software\Policies\2FAGuard",`
	`136`	`+ "PreventUnencryptedExports",`
	`137`	`+ false`
	`138`	`+ );`
	`139`	`+ }`
`131`	`140`	`}`
`132`	`141`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,11 @@ private async void Export(IExporter exporter)`
`27`	`27`	`{`
`28`	`28`	`try`
`29`	`29`	`{`
	`30`	`+ if (!exporter.RequiresPassword() && RegistrySettings.PreventUnencryptedExports())`
	`31`	`+ {`
	`32`	`+ throw new Exception(I18n.GetString("i.export.failed.unencrypted"));`
	`33`	`+ }`
	`34`	`+`
`30`	`35`	`if (exporter.Type == IExporter.ExportType.File)`
`31`	`36`	`{`
`32`	`37`	`Microsoft.Win32.SaveFileDialog saveFileDialog =`
`@@ -60,6 +65,7 @@ private async void Export(IExporter exporter)`
`60`	`65`	`throw new Exception(I18n.GetString("export.password.invalid"));`
`61`	`66`	`}`
`62`	`67`	`}`
	`68`	`+`
`63`	`69`	`await exporter.Export(saveFileDialog.FileName, password);`
`64`	`70`
`65`	`71`	`Wpf.Ui.Controls.MessageBoxResult sucessDialogResult =`