Where would you recommend me to store a Keepass-file?
Where do you store the KeePass-DB?
Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?
What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:
- the risk of the file being hacked - what can we do if we consider to get hacked
- the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think
- what if someone may compromise the file
- is it preferable that the DB file not get in the wild,
- there may be more and other risks - which one do you take into consideration"?
- what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.
What if someone may compromise the file?
- Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
online.
- regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
and truly random),
- on the other handside - a masterpassword still can't compete with an actual long encryption key.
- we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations
- we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).
well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.
What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?
encryption
migrated from superuser.com 4 hours ago
This question came from our site for computer enthusiasts and power users.
add a comment |
Where do you store the KeePass-DB?
Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?
What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:
- the risk of the file being hacked - what can we do if we consider to get hacked
- the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think
- what if someone may compromise the file
- is it preferable that the DB file not get in the wild,
- there may be more and other risks - which one do you take into consideration"?
- what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.
What if someone may compromise the file?
- Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
online.
- regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
and truly random),
- on the other handside - a masterpassword still can't compete with an actual long encryption key.
- we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations
- we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).
well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.
What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?
encryption
migrated from superuser.com 4 hours ago
This question came from our site for computer enthusiasts and power users.
1
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago
add a comment |
Where do you store the KeePass-DB?
Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?
What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:
- the risk of the file being hacked - what can we do if we consider to get hacked
- the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think
- what if someone may compromise the file
- is it preferable that the DB file not get in the wild,
- there may be more and other risks - which one do you take into consideration"?
- what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.
What if someone may compromise the file?
- Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
online.
- regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
and truly random),
- on the other handside - a masterpassword still can't compete with an actual long encryption key.
- we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations
- we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).
well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.
What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?
encryption
Where do you store the KeePass-DB?
Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?
What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:
- the risk of the file being hacked - what can we do if we consider to get hacked
- the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think
- what if someone may compromise the file
- is it preferable that the DB file not get in the wild,
- there may be more and other risks - which one do you take into consideration"?
- what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.
What if someone may compromise the file?
- Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
online.
- regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
and truly random),
- on the other handside - a masterpassword still can't compete with an actual long encryption key.
- we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations
- we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).
well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.
What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?
encryption
encryption
asked 8 hours ago
butch
migrated from superuser.com 4 hours ago
This question came from our site for computer enthusiasts and power users.
migrated from superuser.com 4 hours ago
This question came from our site for computer enthusiasts and power users.
1
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago
add a comment |
1
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago
1
1
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago
add a comment |
2 Answers
2
active
oldest
votes
In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).
If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.
Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.
In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:
The following error occured while opening the database:
Hash test failed.
The key is wrong or the file is damaged.
Modifying the very first byte complained:
The following error occured while opening the database:
Wrong Signature
Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):
gpg: WARNING: encrypted message has been manipulated!
You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
add a comment |
Few things:
1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.
2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.
3) look into rate-limiting inside and outside of KeePass application
4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.
5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200401%2fwhere-would-you-recommend-me-to-store-a-keepass-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).
If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.
Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.
In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:
The following error occured while opening the database:
Hash test failed.
The key is wrong or the file is damaged.
Modifying the very first byte complained:
The following error occured while opening the database:
Wrong Signature
Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):
gpg: WARNING: encrypted message has been manipulated!
You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
add a comment |
In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).
If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.
Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.
In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:
The following error occured while opening the database:
Hash test failed.
The key is wrong or the file is damaged.
Modifying the very first byte complained:
The following error occured while opening the database:
Wrong Signature
Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):
gpg: WARNING: encrypted message has been manipulated!
You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
add a comment |
In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).
If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.
Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.
In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:
The following error occured while opening the database:
Hash test failed.
The key is wrong or the file is damaged.
Modifying the very first byte complained:
The following error occured while opening the database:
Wrong Signature
Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):
gpg: WARNING: encrypted message has been manipulated!
You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.
In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).
If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.
Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.
In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:
The following error occured while opening the database:
Hash test failed.
The key is wrong or the file is damaged.
Modifying the very first byte complained:
The following error occured while opening the database:
Wrong Signature
Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):
gpg: WARNING: encrypted message has been manipulated!
You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.
answered 6 hours ago
Xen2050
1997
1997
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
add a comment |
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
1
1
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago
add a comment |
Few things:
1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.
2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.
3) look into rate-limiting inside and outside of KeePass application
4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.
5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
add a comment |
Few things:
1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.
2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.
3) look into rate-limiting inside and outside of KeePass application
4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.
5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
add a comment |
Few things:
1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.
2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.
3) look into rate-limiting inside and outside of KeePass application
4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.
5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)
Few things:
1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.
2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.
3) look into rate-limiting inside and outside of KeePass application
4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.
5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)
answered 8 hours ago
linuxdev2013
1113
1113
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
add a comment |
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
1
1
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200401%2fwhere-would-you-recommend-me-to-store-a-keepass-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago
From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago
Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago
I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago