// the find
juliansteenbakker/flutter_secure_storage
A Flutter plugin for securely storing sensitive data using encrypted storage.
flutter_secure_storage is the standard Flutter plugin for storing secrets using platform-native mechanisms: Keychain on iOS/macOS, Android Keystore with RSA OAEP + AES-GCM, DPAPI on Windows, libsecret on Linux. It's the go-to choice for any Flutter app that needs to store tokens, credentials, or keys without rolling its own crypto. Version 10 was a significant security overhaul that dropped the deprecated Jetpack Security library.
The Android v10 rewrite replaced encryptedSharedPreferences (which had known issues with key derivation tied to the device backup system) with a custom RSA OAEP + AES-GCM implementation backed by Android Keystore — a meaningful security improvement, not just a library swap. Biometric authentication integration is done correctly: it uses KeyStore-bound keys that require biometric unlock rather than just gating access in Dart. The Secure Enclave path on iOS/macOS is a real hardware-backed option, not a marketing claim — the private key never leaves the chip. Auto-migration from old cipher configurations (`migrateOnAlgorithmChange`) is on by default, which matters a lot for a security library where a bad upgrade path can lock users out of their data.
Web support is explicitly experimental and has a significant footgun: hardcoding `wrapKey`/`wrapKeyIv` in source defeats the purpose of encryption since those values end up in the compiled JS bundle. The docs mention it but don't warn loudly enough. Secure Enclave adoption in existing apps requires a manual migration dance (read old → write new → delete old) with no built-in helper, which most developers will skip, leaving the feature unused for anyone upgrading. Linux support depends on a running keyring daemon (gnome-keyring or kwallet), which breaks in headless/CI environments with no graceful fallback documented. There is no support for key rotation or expiry — once a secret is written, there's no TTL or versioning mechanism short of manually deleting and rewriting.