Description
retroarch.cfg stores credentials and sensitive data inline alongside all other settings. This makes it unsafe to share configs without manual editing, and causes credential leakage into override files (see #12953).
Sensitive fields currently stored in retroarch.cfg
| Field |
Risk |
cheevos_password |
RetroAchievements password in plaintext |
cheevos_token |
RetroAchievements auth token |
cheevos_username |
RetroAchievements username |
twitch_stream_key |
Would let someone stream to your Twitch channel |
youtube_stream_key |
Would let someone stream to your YouTube channel |
netplay_password |
Netplay session password |
netplay_spectate_password |
Netplay spectate password |
webdav_username |
Cloud sync username |
webdav_password |
Cloud sync password |
Why this matters
Config sharing is common in the RetroArch community. Influencers share optimized configs for specific cores/devices, users migrate between devices, and third-party tools help manage backups. All of these workflows involve moving retroarch.cfg around, and all of them risk leaking credentials.
This was partially reported in #12953 (credentials leaking into override files via "Save Overrides"), but the root cause is that credentials live in the same config format as everything else.
Proposed solution
Store credentials in a separate file (e.g. retroarch-secrets.cfg or retroarch-credentials.cfg) that RetroArch reads at startup but is never included in:
- "Save New Configuration" exports
- "Save Overrides" (per-core/per-game)
- Any config dump to
config/
This would make the main retroarch.cfg and all override files safe to share by default, without requiring users or third-party tools to scrub sensitive fields.
Current workarounds
Third-party tools (and careful users) must manually strip these fields before sharing. This is fragile because:
- The list of sensitive fields can change across RetroArch versions
- New credential fields (e.g. for future integrations) won't be caught
- Users who don't know about this risk will share credentials unknowingly
Environment
Applies to all platforms, but especially impactful on Android where scoped storage restrictions make config management harder.
Description
retroarch.cfgstores credentials and sensitive data inline alongside all other settings. This makes it unsafe to share configs without manual editing, and causes credential leakage into override files (see #12953).Sensitive fields currently stored in retroarch.cfg
cheevos_passwordcheevos_tokencheevos_usernametwitch_stream_keyyoutube_stream_keynetplay_passwordnetplay_spectate_passwordwebdav_usernamewebdav_passwordWhy this matters
Config sharing is common in the RetroArch community. Influencers share optimized configs for specific cores/devices, users migrate between devices, and third-party tools help manage backups. All of these workflows involve moving
retroarch.cfgaround, and all of them risk leaking credentials.This was partially reported in #12953 (credentials leaking into override files via "Save Overrides"), but the root cause is that credentials live in the same config format as everything else.
Proposed solution
Store credentials in a separate file (e.g.
retroarch-secrets.cfgorretroarch-credentials.cfg) that RetroArch reads at startup but is never included in:config/This would make the main
retroarch.cfgand all override files safe to share by default, without requiring users or third-party tools to scrub sensitive fields.Current workarounds
Third-party tools (and careful users) must manually strip these fields before sharing. This is fragile because:
Environment
Applies to all platforms, but especially impactful on Android where scoped storage restrictions make config management harder.