[Feature request] Add Support of Encrypting/Decrypting GPG/PGP Fields or Attachments to Aviod Single Point of Failure

[gynet]

First, thanks for the very nice job did for the YubiKey integration, the CR mode would help a lot for some thread modeling.

However, as we know the CR mode is not a truly 2FA because of the nature of an offline database application, that means if one specific version of the database file + the password + CR response + (key file) got compromised at the same time, then all the entries in the database could still be exposed to an attacker, also as most of the cloud service has a version tracking system, all the versions of a user's database have already saved somewhere and been recoverable.

I understand this is not only a unique problem to the KeePass ecosystem but also almost all the password manager applications, but it’s somehow a “Single Point of Failure” situation.

On the contrary, the Passwordstore app uses individual GPG encrypted files to save all the passwords, also, as you might know, Yubikey can to be used as a GPG smart card for encryption/decryption, so the benefit of that is, even the whole user operating system is compromised, an attacker can only acquire only the specific password which is being decrypted, and other passwords entries remain encrypted. The decryption process only happens on the Yubikey side, and the private key is not exposed to the system at all. I believe it will resolve the SPOF problem. However, the implementation of the Passwordstore only encrypts the file content but not the metadata, like file & directories names, which includes information about the usernames and websites. I think it is a vulnerability to the Passwordstore ecosystem, although they can add a "pass-tomb" as an encrypted layer, it’s lack of cross-platform support.

Compare to Passwordstore, I still prefer KeeWeb/KeePass because of the ecosystem, UX, and native encrypted metadata. My current workaround of SPOF is to manually encrypt some fields using OpenGPG, and I wrote a BASH script run with auto-type to decrypt the field. It's not bad, but it's kind of awkward because of lacking UI support.

Describe the solution you'd like
So, if KeeWeb can add support (maybe a plugin?) of using GPG to encrypt /decrypt fields, it would be super awesome, and the support attachments with .gpg as the file extension would be a bonus. It will fully resolve the problems of SPOF I mentioned above and enhance the security for some fields. It's even better than Passstore for handling metadata as Keepass DB has already always kept everything encrypted. The GPG encrypted fields can be played as an optional secondary encryption layer, what's more, the users can use the YubiKey a truly “2FA” which is the perfect combination because Yubikey has already been integrated with KeeWeb

[gynet]

It would nice to see something like below can be supported by KeeWeb using a right-click menu to invoke OpenPGP tools to decrypt, as well as the creation process

[gynet]

Some user scenarios:

• Someone posted a similar idea for a feature request to KeepassXC, but the user's ask was if it is possible to encrypt the entire entries in the DB, which is not possible because of compatibility. However, encrypting a field/attachment should be possible and not related to compatibility.
• I also believe some users may already be save their public keys in KeeWeb/Keepass and might use some workarounds similar to mine.

[antelle]

Hi! There are two things:

• it's not possible to touch a yubikey for GPG encryption/decryption, or if it's possible probably nobody does this because it's used in other places as well, but maybe that's tolerable depending on a thread model;
• we need support from other clients to do this, otherwise the file won't be compatible, well, it will be compatible, but it won't give any password. Is there a similar issue in KeePassXC and any of major iOS clients (Strongbox or KeePassium)?

[gynet]

@antelle

• You can enable touch on by using ykman
  I just tried the below command, it works! Even without touch, the user still need to input the Yubikey physically and type the pin

    ykman openpgp set-touch [OPTIONS] KEY POLICY
  

• Agree, but the good thing is GPG is an open-source standard, there are already some pretty good mobile apps support GPG with Yubikey + NFC, e.g for android, I use OpenKeychain, it can decrypt a file using Yubikey's NFC, and encryption and decryption communication can go through Androids "Interacting with Other Apps" APIs or just the clipboard. For native app integration, it's a might be a chicken or egg situation, although it would be ideal to also have an extension to a mobile app, e.g, Keepass2Adnroid, so far, I would say combine OpenKeychain is pretty easy to use.

[antelle]

I also agree that it's a chicken and egg problem and probably if there's support in KeeWeb and an extension for KeePass which is not hard to create, it may get some wider support in other forks.
I wonder if there will be support on iOS, I haven't seen any app capable to use GPG with a yubikey, however this issue suggests it's not impossible, albeit not very straightforward.
Overall, I gave it a round of thought and it seems to be quite an interesting mode that can be used as an alternative to the current implementation for those who need it. Here are some considerations, but the list is indeed not complete and not very well made, anyway here it is:

• this can be enabled either for the whole file, or individually for entries, or for groups with inheritance like auto-type, we need to weigh up pros and cons and decide which mode would be flexible enough;
• maybe we need even field-level control;
• there's search by protected fields in different forks including KeeWeb; it won't work and this most likely needs to be explained in the search control if the feature is in use;
• db export may become slower which is fine, however if the touch feature is enabled, it won't be possible (or will be inhumanly painful);
• the same applies to disabling the feature.