-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document security considerations / threat analysis #5
Comments
See discussions at keepassxreboot/keepassxc#4513. I may create a wiki page later for this. |
There is now a prototype in the By default it generates a random 64-byte challenge and sends it to YubiKey slot 2 to get a 20-byte response. It is then padded to 32 bytes for encrypting KeePassXC keys using AES-GCM-256. Right now if you use multiple keys, you have to make sure all the keys share the same HMAC-SHA1 secret. I haven't come up with a good idea to support different secrets (and probably other encryption mechanisms in the future) at the same time yet. And by the way, there seems to be some minor issues in the Rust YubiKey library. I've filed PRs at wisespace-io/yubico-manager#3 wisespace-io/yubico-manager#4. |
Closed by https://github.com/Frederick888/git-credential-keepassxc/wiki/Security Please file new issues if you believe anything else should also be addressed, or you've found any flaws in the current encryption workflow. The encryption feature has been merged into master btw. |
Keys and callers are stored plain text in the config file, the former can be read by any application and the latter might be modified by any application.
The text was updated successfully, but these errors were encountered: