hello,
i was wondering if there were some logs about when the database keepas was opened and about the device on which it was. I would know this to see if it's possible to have a kind of "trusted device" and receive a mail or something when there is a connection "unrecognized" (sorry if the idea is stupid and add more problems of security that it could resolve, i would just your advice about this).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There is no reliable mechanism to make this work because external comms can be disabled / logs deleted. Opening the database doesn't require KeePass, there are plenty of 3rd party apps that will open a KeePass database and anyone who can code can write their own decrypter.
Use a long strong password and trust encryption.
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
How would you define "open", usually when someone gets hold of your database he won't open it on your device but rather on his device(assuming he has the key).
if he compromises the host and extract secrets, tracking the openned device won't detect anything as well.
if he doesn't have the key but got the database he will try to brute-force it using cracking software therefore, it won't be helpful as well.
I can't find a single good attack scenario where this works.
First of, your database is just a file, its static, it can't run any code on its own
In addition, KeePass itself is local so the "trusted" device would always be the same.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You are right, KeePass is not the only app that can read the kdbx files; but my biggest problem today is not the trust of encryption, it's my necessity to get my DataBase on something which is portable (like a drive or similar).
And if my DataBase is compromised, how can i know it ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
you can't really, just make sure that you run the portable version on a trusted computer.
some solutions allow for read-only storage but the issue is once KeePass load data into memory.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Make a sub-database containing only the accounts you need to run as portable. Leave the other account in your main database on your trusted machine.
There is a sync process for a sub-database at this link.
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hello,
i was wondering if there were some logs about when the database keepas was opened and about the device on which it was. I would know this to see if it's possible to have a kind of "trusted device" and receive a mail or something when there is a connection "unrecognized" (sorry if the idea is stupid and add more problems of security that it could resolve, i would just your advice about this).
There is no reliable mechanism to make this work because external comms can be disabled / logs deleted. Opening the database doesn't require KeePass, there are plenty of 3rd party apps that will open a KeePass database and anyone who can code can write their own decrypter.
Use a long strong password and trust encryption.
cheers, Paul
How would you define "open", usually when someone gets hold of your database he won't open it on your device but rather on his device(assuming he has the key).
if he compromises the host and extract secrets, tracking the openned device won't detect anything as well.
if he doesn't have the key but got the database he will try to brute-force it using cracking software therefore, it won't be helpful as well.
I can't find a single good attack scenario where this works.
First of, your database is just a file, its static, it can't run any code on its own
In addition, KeePass itself is local so the "trusted" device would always be the same.
You are right, KeePass is not the only app that can read the kdbx files; but my biggest problem today is not the trust of encryption, it's my necessity to get my DataBase on something which is portable (like a drive or similar).
And if my DataBase is compromised, how can i know it ?
you can't really, just make sure that you run the portable version on a trusted computer.
some solutions allow for read-only storage but the issue is once KeePass load data into memory.
Thanks for all these details.
Make a sub-database containing only the accounts you need to run as portable. Leave the other account in your main database on your trusted machine.
There is a sync process for a sub-database at this link.
cheers, Paul