Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

attachment security with gpg keys

userxyz
2014-05-03
2014-05-05
  • userxyz
    userxyz
    2014-05-03

    I make use of the attachment feature of keepass to store my gpg private keys used with Putty for ssh connections. Instead of having these private keys stored directly on the hard disk itself or on a USB device. I also have a program that allows me quickly to make and remove a virtual drive in RAM. When I need access to one of the private keys in order to authenticate an ssh connection, I now open Keepass entry, save the attachment to the virtual drive, i.e., RAM only, and make reference to it in the Putty command line procedure, and when Putty's procedure prompts me to enter the password, I can use Keepass Auto-Type. As a matter of fact, when I first created the ssh key in Putty, I used this same type of process with Keepass, which allowed me to create a very long passphrase without having to type it on my keyboard and without having to save it to the hard disk because I put it in RAM from the start, and I saved it to an attachment from there.

    It seems like to me that this manner of key creation and saving, by using Keepass as I explained, and of using it afterwards, is more secure than usually described from what I have seen, but I also wanted to throw it out here to see whether I might have overlooked something or perhaps otherwise took steps that were redundant, etc.

     
  • Paul
    Paul
    2014-05-04

    Your method is valid, but KeePass could do it better.

    KeePass has secure attachment handling: KeePass now extracts the attachment to a (EFS-encrypted) temporary file and opens it using the default application associated with this file; afterwards the user can choose between importing/discarding changes and KeePass deletes the temporary file securely.

    A feature request to allow SSH keys / any attachment to be handled in this manner would make their use much easier and you could use place holders on the command line.

    cheers, Paul

     
  • David Lechner
    David Lechner
    2014-05-04

    I have added a feature to my KeeAgent plugin recently along these lines.

    For now, KeeAgent is ssh only, but I have been contemplating adding support for gpg keys. (although I think @userxyz may have said 'gpg private keys' but really meant to say 'ssh private keys')

    In the latest beta version (v0.5.0) I have added an option to automatically save the encrypted ssh keys to disk (and automatically delete them too) and I have added placeholders so that you can reference the file that was automatically saved with PuTTY or ssh or whatever program needs it. More info here. I don't see a problem with with saving the encrypted key to disk since, thanks to KeePass, you can have a super strong key.

    I will have to look into what Paul said about secure about secure attachment handling and perhaps integrate this into the plugin as well.

    If anyone has any further suggestions for improving/extending KeeAgent, you can open a new issue here.

     
  • userxyz
    userxyz
    2014-05-05

    David,

    "..I think @userxyz may have said 'gpg private keys' but really meant to say 'ssh private keys')"

    Yes, you are right, my bad! Thanks for clarification.

    "...I will have to look into what Paul said about secure about secure attachment handling and perhaps integrate this into the plugin as well."

    Yes, I would like to hear from Paul, too. I was already aware of Keepass's ability to extract with MIME based app and secure deletion. That is an great feature, I agree. Even so, as it has to write the file to disk, while my method does not do so but puts it in RAM only, I can't really agree that "KeePass could do it better." The Putty program Pageant, for instance, also keeps the keys in memory only, if I am not mistaken. I think both ways are probably pretty much equal if anything. What I especially liked about the procedure I mentioned was how using the combination of Keepass and the RAM drive, I was completely able to create the ssh keys and store them as an attachment, using a large passphrase, without ever having to use the keyboard or write anything to disk even temporarily. In a public environment, this would be perfect because your entry could not be keylogged or recovered unless there was some serious technology at work against it.