multiple hierarchy of security within the same database

Help
Eli
2013-03-04
2013-03-04
  • Eli
    Eli
    2013-03-04

    Hi,

    Is it possible to create mutiple groups in the same database (i.e., the same file) such that when the master password is entered, only some of groups are shown (with their password), and to get access to a more important group a file key (or maybe additional password) is needed in addition?

    This way I can put sensitive information in a certain group in my single database and prottect it by an additional layer (key file). Other less important groups are read as usual upon opening the database ( e.g., by entering your master password).

    Thanks

     
  • wellread1
    wellread1
    2013-03-04

    No, The Master Key is used to encrypt and decrypt the database as a whole.

     
  • Eli
    Eli
    2013-03-04

    ok, thanks! too bad!

     
  • Eli
    Eli
    2013-03-04

    this way, the less important passwords (e.g. keepass forum!) have the same protectin as your banking password!

    I do not mind putting my database in dropbox if I have only those "less important" passwords in my database. But If have more important data there too, I need a key file for that portion of database.

    Any workaround is appreciated!

    Thanks

     
    Last edit: Eli 2013-03-04
    • steelej
      steelej
      2013-03-04

      I use TeamDrive rather than Dropbox. With TeamDrive the data is encrypted a second time with a different key. It works just the same way as Dropbox.

      I use triggers to synchronise the local database to the TeamDrive copy on my computers rather than just having the TeamDrive copy as this protects the file better against simultaneous updates from two computers.

       
      • Eli
        Eli
        2013-03-04

        I would be cautious of putting important passwords on a server like dropbox. Your database gets copied by dropbox employee or a hacker if the server is broken in (we all know what happened to linkedin a few months ago).

        Now few years from now keepass software has been updated, but your old stolen file is encripted using old versions of keepass. So if a weakness is found in keepass implementation of AES256 (or less likely the algorithm itself is broken or updated), you cannot do anything to protect your data.

        Encrypting twice is a false sense of protection; adding one more letter to the first password, or better allowing capitalization, is a better protection.

         
        Last edit: Eli 2013-03-04
        • steelej
          steelej
          2013-03-04

          I must disagree with you about double encryption.

          Encryption with KeePass. using a strong key using KeyPass implementation of AES. and then encrypting the whole Keypass database file a second time with a second independent strong encryption key (which is what TeamDrive does with its implementation of AES) would, in my opinion, give greater security. TeamDrive encrypts the data on the PC before uploading to the cloud server, Dropbox does not, it only encrypts data in transit to their server.

          I believe KeePass applies a hash function to the password/keyfile repeatedly to derive the actual encryption key. If AES were to be attacked directly then two separate keys (KeyPass and TeamDrive) would have to be cracked. Making the KeePass key longer does not give this additional protection. If the AES algorithm is eventually broken then increasing the key length, or having a key file, would give no additional protection.

          This OK for PCs. It would not work where implementations of TeamDrive are not available on a target platform.

           
  • wellread1
    wellread1
    2013-03-04

    I routinely use two password databases that I open together on my PC automatically. One for all my passwords, and another that has a few passwords for my phone that I keep on dropbox.

    I use KeePass 2.21, the KeeAutoExec plugin, and have two (or three) triggers

    Triggers

    1. Activate primary database on open.
      a. EVENT: Open database file, Equals,
      b. ACTION: Activate database (select tab), primary_database.kdbx
    2. Activate autoopen.kdbx on locking (closing)
      a. EVENT: Closing database file (after saving), Contains, autoopen.kdbx
      b. ACTION: Activate database (select tab), autoopen.kdbx

    You will also need to use a method other than the "Remember and automatically open last used database on startup" setting, to open the autoopen database at startup. This could be a a trigger or a command line switch.

    KeePass 2.21 is required for Trigger 2. to work correctly.

     
    Last edit: wellread1 2013-03-04
  • Eli
    Eli
    2013-03-04

    I need to learn about triggers; I think they probably do not work with keepassx. Thanks.

     
    Last edit: Eli 2013-03-04
    • wellread1
      wellread1
      2013-03-04

      Right.