Skip to content

Privacy

Jump to bottom
Johannes Passing edited this page Jul 27, 2023 · 10 revisions

📝 This Wiki page has moved.

For the latest content, see Privacy & security on the IAP Desktop documentation page.

Usage of Google APIs

IAP Desktop accesses Google Cloud Platform to:

  • establish Cloud IAP TCP tunnels to VM instances
  • list VMs and obtain metadata and logs for VM instances
  • generate Windows logon credentials if requested
  • publish SSH public keys if requested

The application uses the following Google APIs for this purpose:

If you use IAP Desktop to analyze VM instance usage, the application accesses the following additional Google APIs:

Periodically, IAP Desktop accesses the GitHub API to check for updates.

IAP Desktop does not disclose or transmit any data to APIs other than the ones listed above.

Storage of credentials

All credentials managed by IAP Desktop are stored locally and are encrypted before storage.

OAuth tokens

When you use the application for the first time, you have to authorize it to access your Google Cloud Platform on your behalf. As a result of this authorization, the application receives an OAuth refresh token which allows it to re-authenticate automatically the next time you use it. This refresh token is encrypted by using the Windows Data Protection API (DPAPI) and stored in the current user part of the Windows registry.

You can revoke your authorization at any time by selecting File > Sign out and exit in the menu.

Windows logon credentials

IAP Desktop allows you to save Windows logon credentials. These credentials are stored in the current user part of the Windows registry. Like the OAuth refresh token, all passwords are encrypted by using the DPAPI before storage.

SSH keys

By default, IAP Desktop uses a 3072 bit RSA key pair for SSH public key authentication. Alternatively, you can configure IAP Desktop to use a ECDSA NISTP-256, -384, or -521 key. The keys are managed by using the Windows CryptoNG API and stored using the Microsoft Software Key Storage Provider. You can list keys by running certutil -csp "Microsoft Software Key Storage Provider" -key -user | findstr IAPDESKTOP_.

Proxy credentials

If you've configured IAP Desktop to use an HTTP proxy server that requires authentication, then the proxy credentials are stored in the current user part of the Windows registry. Like the OAuth refresh token, the password is encrypted by using the DPAPI before storage.

IAP Desktop is an open-source project and not an officially supported Google product.

Overview

How-to guides

Reference

Clone this wiki locally