Document security considerations / threat analysis

[riedel]

Keys and callers are stored plain text in the config file, the former can be read by any application and the latter might be modified by any application.

[Frederick888]

See discussions at keepassxreboot/keepassxc#4513. I may create a wiki page later for this.

[Frederick888]

There is now a prototype in the yubikey branch that allows git-credential-keepassxc to encrypt the database keys using YubiKey challenge-response. For instructions see help message for the two new encrypt and decrypt subcommands (configure also has got a new --encrypt option in that branch).

By default it generates a random 64-byte challenge and sends it to YubiKey slot 2 to get a 20-byte response. It is then padded to 32 bytes for encrypting KeePassXC keys using AES-GCM-256.

Right now if you use multiple keys, you have to make sure all the keys share the same HMAC-SHA1 secret. I haven't come up with a good idea to support different secrets (and probably other encryption mechanisms in the future) at the same time yet.

And by the way, there seems to be some minor issues in the Rust YubiKey library. I've filed PRs at wisespace-io/yubico-manager#3 wisespace-io/yubico-manager#4.

[Frederick888]

Closed by https://github.com/Frederick888/git-credential-keepassxc/wiki/Security

Please file new issues if you believe anything else should also be addressed, or you've found any flaws in the current encryption workflow. The encryption feature has been merged into master btw.