- #SELFHOST KEEPASSXC CODE#
- #SELFHOST KEEPASSXC PASSWORD#
- #SELFHOST KEEPASSXC FREE#
- #SELFHOST KEEPASSXC WINDOWS#
It has to be possible to self-host the password manager.The password manager has to work on the operating systems I use frequently: Windows, macOS, Linux, and Android.If it’s good enough, and the price is fair, I’d gladly pay for it.
#SELFHOST KEEPASSXC FREE#
It has to be free as in speech ( libre).
#SELFHOST KEEPASSXC CODE#
Open source code means that everyone can audit the code and make sure nothing fishy is going on. The password manager has to be open source.What is the best password manager is, of course, subjective. What is a Password Manager? covers the “what”, and Why Should I Use a Password Manager? covers the “why”. You can see the code for this here: src/core/Bootstrap.If you’re not sure what a password manager is, or why you should use one, I recommend you read two of my previous posts. The above memory protection techniques are all applied during the initial Bootstrap process before any data is loaded in to the application. Since KeePassXC is an open source application, we encourage everyone with the appropriate knowledge to review our code.
#SELFHOST KEEPASSXC WINDOWS#
Investigate Intel SGX (encrypted memory enclaves) only available for Windows and Linux (unofficial).Investigate Trusted Platform Module (TPM) to encrypt/decrypt sensitive memory.Clear sensitive data structures after use.We are currently exploring these methods to enhance memory security: We are looking into this possibility for the future. MacOS does have support for sandboxed applications, but KeePassXC currently does not take advantage of this. MacOS has similar protections to Linux: disabling the use of ptrace and core dumps. If you are concerned with memory attacks, we recommend using these distributions. The AppImage distribution can be further secured by running it in FireJail. The Snap and Flatpak distributions of KeePassXC run in their own sandbox (on Ubuntu) which significantly increases their memory security. Due to the significant variety in different Linux distributions, we encourage you to ensure their kernel is compiled and run with sufficient protections to process memory. This prevents anyone, except the root user, from accessing the memory of the process. KeePassXC prevents the use of ptrace and generation of core dumps. KeePassXC also cannot prevent data extraction from a hibernation file which stores your computer’s memory to disk when going to sleep. This is largely a limitation of using Qt which does not provide a manner to do this in their existing framework. KeePassXC currently does not encrypt data in memory nor explicitly clear sensitive data from deleted data structures. Our memory protections can be readily tested by using Process Hacker as shown in the following screenshots comparing KeePassXC to KeePass: (Note: it is not possible to prevent an administrator from accessing memory) We also disable “core dumps” which can expose secrets if the application crashes. If they had, the ISE attacks would have failed outright! We specifically disable reading the memory of KeePassXC. None of the other password managers featured in the ISE report have implemented this security. KeePassXC uses modern Windows memory security techniques available to all processes. Nonetheless, here are the techniques KeePassXC uses to protect your data: Windows Memory Protection Your best defense against this threat is to have an up-to-date virus scanner and keeping your computer physically secure. If your computer is compromised in this way, then there is very little a program can do to protect its data. Please Note: memory attacks are generally not possible unless an attacker has physical access to your machine or a malicious application is running. The following is a succinct breakdown of our security across the three platforms. This is a very complex topic with a lot of nuance.
Each of these operating systems have different methods of handling memory that must be taken into account. We have worked very hard to be consistent across Windows, Linux, and MacOS platforms in terms of user experience and security. However, unlike KeePass, KeePassXC is a cross-platform application written in C++ using the Qt framework. Aside from non-sensitive header data (such as initialization information for the encryption algorithms), your entire database (usernames, passwords, notes, etc) is encrypted using industry standard methods. Similar to KeePass, we protect all data “at rest” (that is, when it is saved in the password database file *.kdbx). Although KeePassXC was not mentioned, we have thoroughly reviewed the report and address some questions it raises below. Some of you may have seen the recent vulnerability report from ISE that details various memory attacks against 1Password and KeePass, among others.
0 kommentar(er)
