We use encrypted storage to store private keys. The root storage password is a cryptographically strong key derived from the machine key plus a pin, which must be provided every time the accounts store should be accessed. The pin can be provided via CLI or Environment variable.
🖥️Machine Key — the storage file can't be decrypted on other machines (unless your machine is compromised and a hacker has full access to it, and even then, he must listen to your actions - see the next requirement, the pin)
🔑PIN — must be provided every time you want to decrypt the storage. This key won't be stored anywhere
This combination of keys makes the storage file safe from various attack vectors.
The pin is set on the first storage write — when you add or create an account. So you must:
remember the PIN - it won't be possible to decrypt the storage without it.
do not reset the operating system — the machine key will be lost and the storage won't be accessible.
If you forgot the pin or the machine key was changed — you can reset the storage, and this means - it will be completely cleared.