Where would you recommend me to store a Keepass-file?












5














Where do you store the KeePass-DB?



Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?



What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:




  • the risk of the file being hacked - what can we do if we consider to get hacked

  • the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think

  • what if someone may compromise the file

  • is it preferable that the DB file not get in the wild,

  • there may be more and other risks - which one do you take into consideration"?

  • what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.


What if someone may compromise the file?





  • Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
    online.

  • regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
    and truly random),

  • on the other handside - a masterpassword still can't compete with an actual long encryption key.

  • we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations

  • we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).




well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.



What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?










share|improve this question













migrated from superuser.com 4 hours ago


This question came from our site for computer enthusiasts and power users.











  • 1




    I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
    – Xen2050
    6 hours ago










  • From one not of this community, I totally read this as a "keep-ass" file.
    – jvriesem
    5 hours ago










  • Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
    – Michael
    4 hours ago










  • I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
    – Iain
    4 hours ago
















5














Where do you store the KeePass-DB?



Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?



What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:




  • the risk of the file being hacked - what can we do if we consider to get hacked

  • the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think

  • what if someone may compromise the file

  • is it preferable that the DB file not get in the wild,

  • there may be more and other risks - which one do you take into consideration"?

  • what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.


What if someone may compromise the file?





  • Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
    online.

  • regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
    and truly random),

  • on the other handside - a masterpassword still can't compete with an actual long encryption key.

  • we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations

  • we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).




well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.



What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?










share|improve this question













migrated from superuser.com 4 hours ago


This question came from our site for computer enthusiasts and power users.











  • 1




    I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
    – Xen2050
    6 hours ago










  • From one not of this community, I totally read this as a "keep-ass" file.
    – jvriesem
    5 hours ago










  • Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
    – Michael
    4 hours ago










  • I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
    – Iain
    4 hours ago














5












5








5


1





Where do you store the KeePass-DB?



Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?



What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:




  • the risk of the file being hacked - what can we do if we consider to get hacked

  • the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think

  • what if someone may compromise the file

  • is it preferable that the DB file not get in the wild,

  • there may be more and other risks - which one do you take into consideration"?

  • what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.


What if someone may compromise the file?





  • Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
    online.

  • regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
    and truly random),

  • on the other handside - a masterpassword still can't compete with an actual long encryption key.

  • we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations

  • we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).




well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.



What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?










share|improve this question













Where do you store the KeePass-DB?



Where would you recommend me to store a Keepass-file? Usually I have my personal documents in my cloud account - but i am not sure if this is safe.
Would it be safe to use the cloud for this file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.
General question; How safe is this? What risks do I need to know about?



What can I do with the KeePass password file, there are several arguments to decide where to store it.
In my humble opinion, if the passwords are really, really important to someone, one should make the decision based on:




  • the risk of the file being hacked - what can we do if we consider to get hacked

  • the risk of losing the file because of having a bad hdd - what do you do if you face disk errors. And sure thing -. there are more things to think

  • what if someone may compromise the file

  • is it preferable that the DB file not get in the wild,

  • there may be more and other risks - which one do you take into consideration"?

  • what if my cloud storage account is getting compromised then having the credentials recovered by either brute force or some other attack vector.


What if someone may compromise the file?





  • Options; can I secure it even further, by adding another layer of security by encrypting the file i am going to store in cloud storage
    online.

  • regarding the master password: master password provides pretty good security as long as i choose a difficult to brute force password (long
    and truly random),

  • on the other handside - a masterpassword still can't compete with an actual long encryption key.

  • we can increase the resiliency of the KeePass database to brute force by increasing the number of PBKDF2 iterations

  • we can do this in KeePass under File > Database settings > Security: Personally, I use around 10,000,000 rounds (2 s delay).




well -- as mentioned above; I use the KeePass-cloud combination. The password database is encrypted using a key derived from a strong master password.
Even if somebody acquires the encrypted password database through the cloud account, a strong enough master password renders brute-force attacks infeasible.



What can I do with the KeePass password file? Which of the arguments do you take into consideration, to decide where to store it?







encryption






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 8 hours ago







butch











migrated from superuser.com 4 hours ago


This question came from our site for computer enthusiasts and power users.






migrated from superuser.com 4 hours ago


This question came from our site for computer enthusiasts and power users.










  • 1




    I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
    – Xen2050
    6 hours ago










  • From one not of this community, I totally read this as a "keep-ass" file.
    – jvriesem
    5 hours ago










  • Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
    – Michael
    4 hours ago










  • I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
    – Iain
    4 hours ago














  • 1




    I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
    – Xen2050
    6 hours ago










  • From one not of this community, I totally read this as a "keep-ass" file.
    – jvriesem
    5 hours ago










  • Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
    – Michael
    4 hours ago










  • I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
    – Iain
    4 hours ago








1




1




I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago




I think "a long and truly random masterpassword" actually is "an actual long encryption key", just usually in ASCII
– Xen2050
6 hours ago












From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago




From one not of this community, I totally read this as a "keep-ass" file.
– jvriesem
5 hours ago












Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago




Are you asking about storage of the KeePass database file, a key file used to decrypt one of those database files, or both?
– Michael
4 hours ago












I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago




I have a keepass database stored in dropbox that I use to sync between systems. Each system has a local keepass database file and triggers to sync changes to/from the central file in dropbox.
– Iain
4 hours ago










2 Answers
2






active

oldest

votes


















3














In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).



If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.



Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.





In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:




The following error occured while opening the database:

Hash test failed.

The key is wrong or the file is damaged.




Modifying the very first byte complained:




The following error occured while opening the database:

Wrong Signature




Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):




gpg: WARNING: encrypted message has been manipulated!




You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.






share|improve this answer

















  • 1




    Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
    – Jacob Bundgaard
    4 hours ago










  • @JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
    – Xen2050
    9 mins ago



















1














Few things:



1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.



2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.



3) look into rate-limiting inside and outside of KeePass application



4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.



5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)






share|improve this answer

















  • 1




    By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
    – Xen2050
    6 hours ago










  • Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
    – linuxdev2013
    16 mins ago










  • If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
    – Xen2050
    4 mins ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200401%2fwhere-would-you-recommend-me-to-store-a-keepass-file%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown
























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









3














In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).



If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.



Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.





In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:




The following error occured while opening the database:

Hash test failed.

The key is wrong or the file is damaged.




Modifying the very first byte complained:




The following error occured while opening the database:

Wrong Signature




Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):




gpg: WARNING: encrypted message has been manipulated!




You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.






share|improve this answer

















  • 1




    Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
    – Jacob Bundgaard
    4 hours ago










  • @JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
    – Xen2050
    9 mins ago
















3














In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).



If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.



Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.





In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:




The following error occured while opening the database:

Hash test failed.

The key is wrong or the file is damaged.




Modifying the very first byte complained:




The following error occured while opening the database:

Wrong Signature




Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):




gpg: WARNING: encrypted message has been manipulated!




You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.






share|improve this answer

















  • 1




    Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
    – Jacob Bundgaard
    4 hours ago










  • @JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
    – Xen2050
    9 mins ago














3












3








3






In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).



If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.



Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.





In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:




The following error occured while opening the database:

Hash test failed.

The key is wrong or the file is damaged.




Modifying the very first byte complained:




The following error occured while opening the database:

Wrong Signature




Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):




gpg: WARNING: encrypted message has been manipulated!




You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.






share|improve this answer












In theory, you can store the database file anywhere, it's encrypted with it's own passphrase (or keyfile).



If you're worried about someone trying to guess your passphrase or otherwise break into it, you're free to encrypt it a second time with any other reputable encryption method. GPG/PGP is good, or a TrueCrypt successor, or a dm-crypt/LUKS container (though LUKS are generally >2MB, a KeePass database could be under 100k), there's a lot to choose from.



Encrypting the file a further 3rd, 4th... nth time should multiply your protection (provided the encryption itself isn't broken), but it also multiplies the number of passphrases/keyfiles you have to remember, and the time to decrypt them all.





In case someone modifies a KeePass database file, even one byte difference, KeePass should notice and warn you. I tried modifying a single byte in the middle and it complained:




The following error occured while opening the database:

Hash test failed.

The key is wrong or the file is damaged.




Modifying the very first byte complained:




The following error occured while opening the database:

Wrong Signature




Modifying a byte in a gpg file gives a similar complaint (but still decrypts the file, with about 8 bits changed - KeePass would then complain again refusing to open it):




gpg: WARNING: encrypted message has been manipulated!




You can always keep your own checksum/hash of the file too (sha sums are popular, md5sum still, even a CRC32 should detect corruption), just to verify that it hasn't changed.







share|improve this answer












share|improve this answer



share|improve this answer










answered 6 hours ago









Xen2050

1997




1997








  • 1




    Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
    – Jacob Bundgaard
    4 hours ago










  • @JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
    – Xen2050
    9 mins ago














  • 1




    Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
    – Jacob Bundgaard
    4 hours ago










  • @JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
    – Xen2050
    9 mins ago








1




1




Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago




Encrypting the file multiple times with separate passwords doesn't give much extra security if each of the passwords can be brute-forced separately. For example, encrypting the file four times with 8 character passwords each time is much less secure than encrypting it once with a 32 character password. (log2(26^8*4) = 40 bits of entropy vs log2(26^32) = 152 bits for simple alphabetic passwords.)
– Jacob Bundgaard
4 hours ago












@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago




@JacobBundgaard Everything can be brute-forced, but I'm assuming one would use sufficiently long passwords so that guessing the password wouldn't be much faster than brute forcing the encryption directly. Then each time it's encrypted should add some significant guessing time
– Xen2050
9 mins ago













1














Few things:



1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.



2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.



3) look into rate-limiting inside and outside of KeePass application



4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.



5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)






share|improve this answer

















  • 1




    By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
    – Xen2050
    6 hours ago










  • Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
    – linuxdev2013
    16 mins ago










  • If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
    – Xen2050
    4 mins ago
















1














Few things:



1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.



2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.



3) look into rate-limiting inside and outside of KeePass application



4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.



5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)






share|improve this answer

















  • 1




    By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
    – Xen2050
    6 hours ago










  • Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
    – linuxdev2013
    16 mins ago










  • If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
    – Xen2050
    4 mins ago














1












1








1






Few things:



1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.



2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.



3) look into rate-limiting inside and outside of KeePass application



4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.



5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)






share|improve this answer












Few things:



1) Keep the master passPHRASE not passWORD on soemwhere NOT in the cloud.



2) Consider using some form of pki if you plan to have copies in the cloud of some other format/location ( like a safety deposit box ) so that compromise is easier to spot as well. If someone were to play funny with it the key (PGP/PKCS or similiar) would be all sorts of screwed up playing the needed aspect of canary.



3) look into rate-limiting inside and outside of KeePass application



4) if possible for networked devices, or separate hard drives set locks on users and credentials that would be allowed to access this.



5) The RINGER: in the event of a compromise of YOU, illness,captive or whatever, does a trusted party have a way to access without giving them your personal key(s) or full access unless neeeded (a lawyer,doctor for example)







share|improve this answer












share|improve this answer



share|improve this answer










answered 8 hours ago









linuxdev2013

1113




1113








  • 1




    By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
    – Xen2050
    6 hours ago










  • Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
    – linuxdev2013
    16 mins ago










  • If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
    – Xen2050
    4 mins ago














  • 1




    By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
    – Xen2050
    6 hours ago










  • Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
    – linuxdev2013
    16 mins ago










  • If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
    – Xen2050
    4 mins ago








1




1




By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago




By pki do you mean public key infrastructure? How would it assist with keeping copies online? Or be useful, since you're the only one who's encrypting and decrypting the file?
– Xen2050
6 hours ago












Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago




Even if you are the only one, you must assume you will be accessing or have a need to from multiple machines/terminals or the cloud allows for access from virtually any network connected device with access to said cloud provider. This is where using PKI ( yes Public Key Infra) would help making sure it is ACTUALLY you (assuming you have not allowed the credentials to be also compromised)
– linuxdev2013
16 mins ago












If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago




If you're planning on accessing your KeePass database from multiple (any?) machines or the cloud, how would you have your secret key to decrypt your file? And if you had your secret key, why not just keep your KeePass database too?
– Xen2050
4 mins ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200401%2fwhere-would-you-recommend-me-to-store-a-keepass-file%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

How to ignore python UserWarning in pytest?

Alexandru Averescu