Keepass Database in Cloud/Network

2013-09-24
2013-10-17
  • Is it safe to have the Keepass Database on a cloud or network server whereas the keyfile is kept locally on e.g. a USB-stick. My concern is that the access data (user, passsword) is sent decrypted from the cloud to the local device, or that it could be copied during the time it is visible locally.
    I would like to access my keepass data from anywhere and only carry the keyfile with me.
    Gerrit

     
  • steelej
    steelej
    2013-09-24

    The KeePass database is encrypted when stored anywhere and the encrypted database file must be transferred from the cloud to your local computer before it can be decrypted. Your passwords are never transferred in plaintext over the internet. Your database is never stored in plaintext on the cloud.

    For the more paranoid (like me) who do not have confidence in DropBox there are cloud storage services such as TeamDrive which encrypt the datafile again.

    I use the syncronisation feature to replicate a copy via the cloud to each of my computers and Android phone and for the computers use triggers to syncronise a purely local copy with the replicated cloud copy.

    I don't use a keyfile but that is a personal choice - it is a good solution if you are the only user of the database.

     
    • liam
      liam
      2013-10-03

      well keyfile can be used just as long as you do not own a iphone or ipad or windows phone (not sure if windows phone supports keyfile)

      android is fine as you can manually copy the keyfile to the phone and have a screen lock on the phone so if its lost your keyfile is not compromised (some phones have encryption as well)

       
    • gmnenad
      gmnenad
      2013-10-17

      Is this "database file must be transferred from the cloud to your local computer" really true?
      I use Keepass with database on networked share, and I never manually "transfer" database - Keepass just opens it on networked share. So, two questions remains:
      1) does Keepass internally copy whole file in device memory, and then use my password/work with it in-memory only?
      2) or does Keepass work with file remotely, and if that is the case, is my password ever used over network?

      Bottomline question that I have (and I bet original poster had)is:

      Is Keepass secure to be used with database on remote network share? Is someone who can monitor network traffic able to get any more info, compared to someone who just get database file?

       
      • Paul
        Paul
        2013-10-17

        1) does Keepass internally copy whole file in device memory, and then use my password/work with it in-memory only?
        2) or does Keepass work with file remotely, and if that is the case, is my password ever used over network?

        1 is correct. Your password is never transferred over anything.

        Is Keepass secure to be used with database on remote network share? Is someone who can monitor network traffic able to get any more info, compared to someone who just get database file?

        Yes, KeePass is safe, no unencrypted data is ever transferred anywhere.

        cheers, Paul

         
  • Paul
    Paul
    2013-09-25

    Using a key file across multiple platforms is difficult - you can't plug a key into your phone / pad.

    cheers, Paul

     
  • wellread1
    wellread1
    2013-09-25

    If you keep a key file on each end node outside of the the cloud folder, the key file provides additional protection in the event the cloud storage account is compromised externally. If the key file is kept in the user's possession and is not available to the end nodes except on demand, then it provides protection everywhere. If it is kept on the end nodes, it provides NO protection at the end node, but still provides protection at the cloud account level. There is additional management overhead incurred by using a key file (the risk of key file loss must be managed) so you must make a risk benefit analysis to determine whether it is a good choice in your situation.

     
    Last edit: wellread1 2013-09-25
    • The issue of key file loss can be addressed by choosing a key file that can be reconstructed from memory if necessary (e.g. a moderately long text, a specifically described image). Note that the reconstruction must be bit-perfect (e.g. texts must have precisely the same punctuation, capitalization, and linefeed characters; images must be pixel-perfect and color-exact). Also, there isn't much point to having a key file if it isn't contributing significantly more entropy than the password (128 bits requires at least 128 characters, probably more, of natural-language text, for example). And, of course, it shouldn't be something that somebody else could discover (e.g. a text or image taken from some generally available source).

       
      Last edit: Stephen Brinich 2013-10-02
  • Charles Bueche
    Charles Bueche
    2013-10-01

    The paranoid would think another way:
    - AES is approved by the NSA
    - Dropbox is a US company
    So the paranoid would better use some personal cloud (eg WebDAV over SSL, with self-signed cert) and a set of algorithms designed elsewhere.

    off-topic : I'm still using the famous IDEA crypto for GnuPG. F..c NSA.

     
    • mxx
      mxx
      2013-10-07

      Dropbox doesn't need to be a US company to have a horrible security track record. :)
      They had holes in their security than my tennis racket.

      Having said that, since KeePass's database file is encrypted locally and if your encryption is protected with good password and many transformation rounds (let's say 50 million), having your db file publicly accessible is not that big of a deal.

      I'd worry more about Dropbox's security problems where somebody can outright delete your file and you have no backups otherwise than somebody getting inside of your file.