New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] Add Support of Encrypting/Decrypting GPG/PGP Fields or Attachments to Aviod Single Point of Failure #1538
Comments
Some user scenarios:
|
Hi! There are two things:
|
|
I also agree that it's a chicken and egg problem and probably if there's support in KeeWeb and an extension for KeePass which is not hard to create, it may get some wider support in other forks.
|
First, thanks for the very nice job did for the YubiKey integration, the CR mode would help a lot for some thread modeling.
However, as we know the CR mode is not a truly 2FA because of the nature of an offline database application, that means if one specific version of the database file + the password + CR response + (key file) got compromised at the same time, then all the entries in the database could still be exposed to an attacker, also as most of the cloud service has a version tracking system, all the versions of a user's database have already saved somewhere and been recoverable.
I understand this is not only a unique problem to the KeePass ecosystem but also almost all the password manager applications, but it’s somehow a “Single Point of Failure” situation.
On the contrary, the Passwordstore app uses individual GPG encrypted files to save all the passwords, also, as you might know, Yubikey can to be used as a GPG smart card for encryption/decryption, so the benefit of that is, even the whole user operating system is compromised, an attacker can only acquire only the specific password which is being decrypted, and other passwords entries remain encrypted. The decryption process only happens on the Yubikey side, and the private key is not exposed to the system at all. I believe it will resolve the SPOF problem. However, the implementation of the Passwordstore only encrypts the file content but not the metadata, like file & directories names, which includes information about the usernames and websites. I think it is a vulnerability to the Passwordstore ecosystem, although they can add a "pass-tomb" as an encrypted layer, it’s lack of cross-platform support.
Compare to Passwordstore, I still prefer KeeWeb/KeePass because of the ecosystem, UX, and native encrypted metadata. My current workaround of SPOF is to manually encrypt some fields using OpenGPG, and I wrote a BASH script run with auto-type to decrypt the field. It's not bad, but it's kind of awkward because of lacking UI support.
Describe the solution you'd like
So, if KeeWeb can add support (maybe a plugin?) of using GPG to encrypt /decrypt fields, it would be super awesome, and the support attachments with .gpg as the file extension would be a bonus. It will fully resolve the problems of SPOF I mentioned above and enhance the security for some fields. It's even better than Passstore for handling metadata as Keepass DB has already always kept everything encrypted. The GPG encrypted fields can be played as an optional secondary encryption layer, what's more, the users can use the YubiKey a truly “2FA” which is the perfect combination because Yubikey has already been integrated with KeeWeb
The text was updated successfully, but these errors were encountered: