[Macha]

This argument has been argued over and over. Either the passwords are stored in some form of symmetric encryption to which the secret is not required to be entered by the user on startup, in which case it's just security theater as malware/nosy fellow users can just grab the key too, or they make you enter a master key on startup, which most users will not enable

The same is ultimately true for browser password managers also. Do you know both Chrome and Firefox let you export all your passwords as plaintext CSV?

[smt88]

Windows and Mac have had solutions to this for years. You can encrypt user files using their OS login, so they don't have to decrypt every time they start the app.

[Macha]

What does this gain over just encrypting the drive/backups? Anything running on the system has the same access.

If the drive is not encrypted, surely for Windows at least it's possible to reverse engineer the encryption secret. Maybe on Mac you could do something with T2, but now your config is not portable, and still doesn't solve the malware on the system case or the "your sibling/visitor/housemate whoever has physical access".

[Avery3R]

In a multi-user system using DPAPI [1] on windows protects secrets from other users, even if the disk is not encrypted. Secrets are encrypted with the user's password.

[1]: https://web.archive.org/web/20200830203837/https://docs.micr...