Keytar Migration Plan

[TylerLeonhardt]

Hello 👋 I'm Tyler from the VS Code team. I'm opening this issue because you use the keytar shim that VS Code provides.

Keytar is officially archived and not being maintained... In an effort to promote good security practices by not depending on an archived piece of software for storing secrets, we are working on a plan to remove this shim from VS Code. We want to communicate this to you so we minimize the disruption due to this change, hence this issue. I know this isn't the best news... we had a fair amount of work to remove our dependency on keytar as well, but we believe this is the right thing to do to ensure extensions are using secure APIs.

There are a couple of options for you to consider:

• (recommended) Use the SecretStorage API that VS Code provides on the ExtensionContext. This API is cross-platform and will work on all platforms that VS Code supports. It is also maintained by the VS Code team and will continue to be maintained and has been a part of the VS Code API for years at this point.
• (not recommended) You can bundle the keytar module with your extension. Keep in mind that keytar is a native node module which means that you will need to publish a platform specific extension for each platform you want to support.

Timeline

The current plan is to remove this shim from VS Code Insiders in early July which means that August 2023's stable release will be the first release without the shim.

Questions?

If you have any questions, please feel free to ask them here. I will do my best to answer them as quickly as possible. Your cooperation is greatly appreciated ❤️

[Anemy]

@TylerLeonhardt Thanks for opening this issue and letting us know about the changes.
We've created VSCODE-435 to track this. I'll close this issue when we've made the changes.

This is something that will require a release with a migration away from keytar before this is removed from VSCode. There is a chance that someone will not update their VSCode/extensions before keytar is removed. In this instance a user would effectively lose their secrets unless we bundle the keytar module with our extension, which we would like to avoid doing if possible.

Is there a way we can be given an earlier heads up for changes like this? Could we find this out by following the insiders releases? This feels to us to be a bit of a short notice and a quick timeline for something that could complicate some users' experiences.

Also wanted to reiterate that it is immensely useful that y'all create these sorts of tickets on extension projects. It is appreciated! Keep up the good work.

[TylerLeonhardt]

I totally hear you @Anemy! It was only recently when we had a plan for what we were going to do about the archiving of Keytar. We actually thought that it would be one of the things that would survive the sunsetting of Atom because it was used outside of Atom, but that didn't end up being the case.

I would say this is an anomaly for the communication we strive to achieve... to answer your question, usually, we will announce things through:

• our release notes: https://code.visualstudio.com/updates/v1_79#_extension-authoring
• Our vscode-discussions discussions: https://github.com/microsoft/vscode-discussions/discussions/categories/announcements

Anyway, the last thing I want to say is that we would love to see movement in this issue, but ultimately, we do weigh the user experience in the mix of the timeline as well... I just don't want this statement to contradict the urgency I proclaimed above. Hope that makes sense.

[himanshusinghs]

A new version (v1.1.0) of our extension facilitating seamless migration from Keytar to SecretStorage api has just been published. Again, much thanks for the timely update :)

[TylerLeonhardt]

Thank you so much for your timely update :)

[TylerLeonhardt]

@himanshusinghs quick question, when are you all planning to remove the migration in favor of only reading from the SecretStorage API?

[alenakhineika]

Hey @TylerLeonhardt, from now on for all new connections we use only SecretStorage to manage users' secrets. However, we do want to migrate as many users' connections as possible before Keytar removal from VSCode. We will delete the migration script later when most of our users migrate their old connections.

[TylerLeonhardt]

Thanks for the context, @alenakhineika. I asked because we have telemetry that tracks the importing of keytar and after the release mentioned we didn't see a drop in that telemetry. We are using this telemetry to decide when to actually remove keytar. I'm guessing you all still import keytar at activation but just don't use it until the user hits the migration path? Is that correct?

If it's easy for you to import keytar lazily that would help me out, but if it's too much work no worries. I'll just keep a note to check in on your migration.

[alenakhineika]

@TylerLeonhardt correct. We currently import Keytar when we activate the extension. Then, we fetch connections from VSCode storage and run the migration for those connections that haven't gone through migration yet. I have created a ticket to refactor it to lazy importing, as you suggested. You can track the progress here VSCODE-450.

[alenakhineika]

Hey @TylerLeonhardt, we've just released the extension v1.2.0 that includes the keytar lazily loading. Hope this is still useful for you!

[alenakhineika]

Hey @TylerLeonhardt, could you please inform us when you've completely removed the keytar? This way, we can better know what happens to users who haven't migrated yet.

[TylerLeonhardt]

@alenakhineika I will keep you posted. We're monitoring telemetry to decide when to take it out and are evaluating roughly once a month. We'll evaluate again in early Sept.

btw, thanks for lazily loading keytar! I see the drop in your extension in our telemetry! This will help us make an informed decision.

[TylerLeonhardt]

👋 @alenakhineika ... just to close the loop. We will remove keytar from VS Code next week. This means that:

• VS Code Insiders on Thursday of next week will be the first Insiders without keytar
• VS Code 1.83 (not 1.82) to be released early Oct will be the first stable release without keytar

[alenakhineika]

Thank you for the update and for keeping us in the loop during the whole migration process! ✨