Allowing KeeFox to read a locked KeePass DB

Help
Alex Klotz
2011-10-09
2012-11-19
  • Alex Klotz
    Alex Klotz
    2011-10-09

    KeeFox is a Firefox addon for KeePass

    KeePass has an option where the user can 'Lockdown the program on Minimize'. Combined with the option to minimize after opening a database the following possibility would complete an interesting automation for KeeFox users.

    It would be nice if KeeFox could comply with a locked down KeePass DB by 'read only' to continue its function with the browser.
    It would be handy because the KeePass data and settings would be secured (?) but KeeFox would still be allowed to work
    Im not sure if this would have to start as a KeeFox or KeePass solution, suggestions would be helpful

    Anyway,
    Thanks and a great program..

     
  • Paul
    Paul
    2011-10-10

    Minimising KeePass does not make it more secure, it just hides it a little.

    As you can set those options yourself how do you propose that this would work? Should KeeFox set them for you?

    cheers, Paul

     
  • Alex Klotz
    Alex Klotz
    2011-10-10

    Paul,

    True, minimising KeePass does not make it more secure.  There is an option however to 'lockdown the program on minimize'.  This implies that you have already entered your master password and your KeePass database is 'open' on your desktop.  The aforementioned option, user selected in KeePass, minimizes KeePass to the taskbar, puts a little 'lock icon' over it and reverts it to locked status - to access the program you must re-enter your master password.

    Enter KeeFox, a Firefox extension that piggybacks onto KeePass and by some techno magic, makes it easy for a user to auto-enter usernames and passwords directly from the KeePass program onto Firefox webpages.

    However.  When a KeePass database is 'locked', KeeFox essentially is not recognizing that KeePass is actually open, which it is not, but it IS running on the desktop. 

    The idea I am promoting is that when KeePass is in a 'lockdown' mode, the KeePass program is 'locked', the program cannot be opened for any edit functions, looking at passwords, changing settings, doing anything that could alter the user database.  KeeFox however could still 'see' web based passwords and its function could operate, read the data and fill the passwords into a website.

    You are kind of making me question why this would even be useful.  I guess im imagining a situation where im browsing and someone could open my KeePass program and look at all my passwords because the KeePass program is essentially open to anyone with access to my desktop (remote or physical).  I guess it would not stop any user from accessing my URL based logins, since KeeFox keeps a dropdown tab menu of those anyway (hopefully with this change the titles would show but the right-click 'edit function' would be 'locked'). 

    Why I think its a good suggestion is I guess it would make me feel more secure that at least someone could not 'change' any information.  I hope the direction KeeFox goes in development is away from trying to be KeePass in the sense that it does almost no editing, only reading.  Mostly it is this way and the user must make any changes through KeePass.

     
  • Paul
    Paul
    2011-10-11

    KeePass only has one locked mode, the database is closed and memory is emptied. For KeeFox to work KeePass must unlock your database and remain unlocked. Preventing user interaction with an unlocked database really is pointless.

    cheers, Paul

     
  • Alex Klotz
    Alex Klotz
    2011-10-11

    The first two statements are true and relevant.  The third statement is true but not relevant to the suggestion, KeeFox does not prevent user interaction with an unlocked database, it in fact makes it seemless with Firefox. 

    I believe, but do not know:  KeePass, with only one locked mode, prevents KeeFox interaction with a locked database.  Therefore, a new locked mode should be added to KeePass, one that does not prevent KeeFox interaction with a locked database.

    Additionally, what is the point of having a single KeePass locked mode that is different from the suggestion above, why not just close and reload the program?  Maybe very very slightly less efficient time wise (opening the program vs. clicking task bar) but would save a lot of background memory from running needlessly to support the program.

     
  • Paul
    Paul
    2011-10-11

    <The idea I am promoting is that when KeePass is in a 'lockdown' mode, the KeePass program is 'locked', the program cannot be opened for any edit functions, looking at passwords, changing settings, doing anything that could alter the user database. KeeFox however could still 'see' web based passwords and its function could operate, read the data and fill the passwords into a website.>

    This is the part that is pointless. KeePass must unlock the database for KeeFox to work. Preventing user access serves no purpose apart from cosmetic.

    cheers, Paul

     
  • Alex Klotz
    Alex Klotz
    2011-10-11

    Paul,

    This is a SUGGESTION of how to do things differently because having an option to lock down KeePass is pointless itself.  Closing the program is a more efficient option than 'lockdown', it doesnt waste system resources.

    If KeePass were to do something useful with its lockdown function it would be to somehow, with security, allow KeeFox to continue its function as long as KeePass is running, in the task bar and locked.

    Suggestion, Paul.  This means this is not the way things work currently or even how it necessarily should be, but maybe, with effort or ideas from people in the community on how to achieve these goals, it could be.

     
  • Alex Klotz
    Alex Klotz
    2011-10-13

    Ok so I did some more research into the KeePass program because I think im operating on a different level that you techno-wise.. maybe KeeFox is not needed?

    I found this Global Auto-Type Hot Key http://keepass.info/help/base/autotype.html
    Can you tell me more about this?  I understand that it would not type in the URL which KeeFox does but would it allow me to 'lock' the KeePass database, go to a website where I have a key stored, press the command to release the username and password?

    Basically I am looking for an option that secures the database from editing, not from usage.
    Thanks

     
  • Paul
    Paul
    2011-10-13

    KeePass doesn't have an option to make the database read only. You shouldn't need one if you backup every day.

    cheers, Paul

     
  • wellread1
    wellread1
    2011-10-13

    You can initiate a KeePass global auto-type on a website if your KeePass database is open and the KeePass workspace is locked.  The locked mode prevents viewing or editing the KeePass database. When you use KeePass in this locked mode you will need to type your KeePass Master Password before it will complete the auto-type.

    There are also various options to lock the KeePass workspace based on events or time see Options/Security.

    -wellread1

    You can use global auto-type

     
  • Luckyrat
    Luckyrat
    2011-10-13

    If you're mainly concerned about casual editing of your data you could consider storing your database on a service like dropbox (http://db.tt/9zVCKj4) which automatically stores previous versions of the kdbx file, allowing you to roll back to a previous version of the database.

    Thanks,
    Chris

     

  • Anonymous
    2011-10-19

    Is it possible to have the Firefox plugin cause KeePass to initiate the unlock sequence? I have KeePass set to lock whenever I lock my workstation, and it works well. However, when I come back, the Firefox plugin doesn't know that KeePass is locked. It just says it cannot find the login information.

     
  • Alex Klotz
    Alex Klotz
    2012-01-11

    Wellread1,

    That is interesting that global auto type works while the KeePass program is 'locked down' and minimized but the method you give for making it work is not.  I differentiate between two modes of 'lock'.  One is the system as it currently functions which you know better than I.  I view that system as overwhelmingly cosmetic.  The only differences between fresh booting KeePass and 'Lockdown' mode appears to be a neat icon with a lock (which is cool by the way), maybe a few hundreds of a second and a lot of background memory usage.  The key similarity is that upon opening both, you are prompted with a master password login. 

    My current settings have KeeFox triggers the opening of KeePass when I open my browser.  Once open, KeePass triggers a minimize KeePass upon opening a database.  I want KeePass to then trigger a 'lockdown' but it is different from how the program currently works.  The database in "lockdown" may be read only by a global auto type or a KeeFox type program to perform duties the user has authorized that program to carry out.  This would include no editing or writing within the KeePass program, no changing of settings, nothing other than some type of securly, encrypted maybe? transfer of what is needed to auto fill the website information. 

    Why is this important?
    1)  I want the little locked icon to make me feel great when im surfing the net.
    2)  I want to enter a master password only when i need to enter the KeePass workspace, not necessarily after I enter the password on open database and then again everytime after it has been minimized and locked down.
    3)  When I close the browser I want KeePass or one of the other programs to force a close until I open the browser and it triggers the above loop.

    4)  I think you should consider building browser support into KeePass or at least considering a way for it to function securely as an official plugin to KeePass

    Thanks,
    Alex

     
  • Alex Klotz
    Alex Klotz
    2012-01-11

    Above also addressed to Paul and Chris
    edit:  backing up kdbx is not relevant to this query/suggestion.  More relevant is how to allow plugin type programs to work with KeePass while KeePass is in current 'lockdown' mode which I view as currently irrelevant in its present form

     
  • Paul
    Paul
    2012-01-12

    You can make KeePass work this way by creating a plug-in that caches the key, unlocks the database for KeeFox, then locks it again. Alternatively you could control the user interface from a plug-in, similar to KPEntryTemplates.

    cheers, Paul

     
  • Zoot Bingham
    Zoot Bingham
    2012-02-07

    I think what aklotz wants is something like Firefox's build in password encryption.

    When you set a "Master Password", Firefox encrypts all your passwords. When you start Firefox, it prompts you to enter it. From that point on, all your previously saved passwords will be auto-filled in. However, when someone wants to peek at those passwords in the Options-Dialog, they will AGAIN be prompted to enter the Master Password.

    The convenience here is: you can have a really long and secure Master Password and you will likely only ever enter it ONCE per session.

    With KeePass and KeeFox/PassIFox, it's different.
    You enter your super secure password and open the database. Now it's open and ready to be tinkered with. Anybody can just copy a password to the clipboard and paste it into a text editor. But if you set KeePass to lock the database all the time, you will be prompted to enter your super secure password every time you log into a website.
    Not ideal.

     
  • Alex Klotz
    Alex Klotz
    2012-04-29

    zoot thank you for the clarification. 

    i do understand the firefox schemata.  firefox does an excellent job in my understanding within the browser environment, it is however not ideal because it is not portable between devices and OS as KeePass is with the kdbx files.

    You are close with the KeePass/KeeFox integration.  Idealistically, to open and edit the KeePass file or work within KeePass you would be prompted by KeePass upon startup/to leave lockdown mode, to enter the super secure password- when that has been done- KeePass itself is open to editing.  However, when in 'lockdown' mode KeePass the program, is closed.  The only function available is read only, autofill.  KeeFox or whatever plugin designed for the OS needed can 'read' the encrypted files and autofill the password on the correct website within the browser.  Technically, while the password cannot be seen or edited, it can be used to access files and autofill websites. 

    In this scenario, the super secure secret password only needs to be entered once, to open KeePass.  If user selects current option, "Lockdown on Minimize" in combination with 'Minimize at Startup" KeePass is sent into autolockdown where only the above actions can be performed with regard to autofill.  So to edit the database you have to enter the super secure password twice, to open the database, then to take it out of lockdown after the startup on minimize/lockdown.

     
  • Alex Klotz
    Alex Klotz
    2012-04-29

    Basically the request is to change the definition of 'Lockdown' within the KeePass universe and move the current definition to another term or to already existing functions, such as auto terminte the program on idle or after certain periods of time.  The reason is that the current definition is dubious since closing the program in entirety is a much more reasonable option to achieving the current lockdown goal.  Why waste the small system resource running the program just so you can see a lockdown icon?  Basically it saves three seconds and a double click.  My opinion is the lockdown definition should provide more of a service, locking down all viewing/editing functions but allowing reading functions. 

    In summary: this could be a radical misunderstanding of what is possible given the current architecture.  Pali so far given the best insight into a solution in that it is likely impossible or unworkable given the current environment.