Is there an option, or a plugin, that allows me to specify a list of computers that a certain password database can be opened on? So that even if someone manages to get access to that file, he wouldn't be able to open it on his own machine.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry but what a strange idea.
The security of a KeePass database is in your password and optionaly a key-file.
If you store the key-file only on certain computers it works as you desire.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I believe the RSA Cert Key Provider plugin will do what you want. The user can install a digital certificate on each computer that can be used like a key file. However, this is an expert plugin. If you don't own an appropriate digital certificate, or are not familiar with creating self signed digital certificates, or securely managing digital certificates, there is a significant learning curve. The plugin does not include documentation though a brief description consisting of a single hint is available at its website.
However, there are easier approximate alternatives that are (or can be) secure:
Use a strong master password. Easiest to manage, and therefore most reliable for most users.
Use a key file on a usb flash drive. Only users who possess the key file can access the database. Make sure to backup the key file. A database that uses a key file can't be opened without it.
Use the KeeAutoExec plugin with a dedicated "auto-open" database that is linked to each user's Windows User Account and that contains the strong master password for your primary database. If an auto-open database is lost, the primary database can still be opened with its strong master password, but the auto-open database can't be used to open the primary database on a different user account. (The user creates individual auto-open databases for each computer.)
Last edit: wellread1 2014-08-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
By the way, it is impossible to define, in KeePass, a list of computers that are the only computers that can open the database. This is because the password database is an encrypted file, and the KeePass encryption key derivation algorithm is in the public domain. Anyone with the encrypted file, the complete Master Key and their own copy of KeePass (or its equivalent) can decrypt the database. What makes a database invulnerable, is the strength of its Master Key secret.
Most of the methods that I described are variations on having a strong Master Key where a portion of the Master Key is either strongly tied to a particular user account or computer (e.g. An installed digital certificate, or the auto-open database linked to the Windows User Account), or is something you have (a key file on a usb key). Since it is quite practical to use a password that, by itself, is too strong for the fastest current computers to guess, I included that example too.
Last edit: wellread1 2014-08-25
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@Wellread: Thanks for your replies, especially the last one made me understand why my request doesn't really make sense.
@Horst: What's the point of having a keyfile if it's on all pc's already? If someone gains access to my pc, he'd have both my password db and the keyfile. To be safe, it'd have to be on a thumb drive or something similar.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@Berend: I store my DB file on Google Drive so it is accessible where I need it. I have a strong master password, but for additional security I have a copy of a key file on the nodes where I want to access the DB. The strong password is to secure the DB on the nodes, the key file is to further secure the DB on GDrive.
It would be more secure to store the key file on a thumb drive, but I feel that my current setup is an acceptable compromise between security and usability.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is there an option, or a plugin, that allows me to specify a list of computers that a certain password database can be opened on? So that even if someone manages to get access to that file, he wouldn't be able to open it on his own machine.
Sorry but what a strange idea.
The security of a KeePass database is in your password and optionaly a key-file.
If you store the key-file only on certain computers it works as you desire.
I believe the RSA Cert Key Provider plugin will do what you want. The user can install a digital certificate on each computer that can be used like a key file. However, this is an expert plugin. If you don't own an appropriate digital certificate, or are not familiar with creating self signed digital certificates, or securely managing digital certificates, there is a significant learning curve. The plugin does not include documentation though a brief description consisting of a single hint is available at its website.
However, there are easier approximate alternatives that are (or can be) secure:
Last edit: wellread1 2014-08-24
By the way, it is impossible to define, in KeePass, a list of computers that are the only computers that can open the database. This is because the password database is an encrypted file, and the KeePass encryption key derivation algorithm is in the public domain. Anyone with the encrypted file, the complete Master Key and their own copy of KeePass (or its equivalent) can decrypt the database. What makes a database invulnerable, is the strength of its Master Key secret.
Most of the methods that I described are variations on having a strong Master Key where a portion of the Master Key is either strongly tied to a particular user account or computer (e.g. An installed digital certificate, or the auto-open database linked to the Windows User Account), or is something you have (a key file on a usb key). Since it is quite practical to use a password that, by itself, is too strong for the fastest current computers to guess, I included that example too.
Last edit: wellread1 2014-08-25
@Wellread: Thanks for your replies, especially the last one made me understand why my request doesn't really make sense.
@Horst: What's the point of having a keyfile if it's on all pc's already? If someone gains access to my pc, he'd have both my password db and the keyfile. To be safe, it'd have to be on a thumb drive or something similar.
@Berend: I store my DB file on Google Drive so it is accessible where I need it. I have a strong master password, but for additional security I have a copy of a key file on the nodes where I want to access the DB. The strong password is to secure the DB on the nodes, the key file is to further secure the DB on GDrive.
It would be more secure to store the key file on a thumb drive, but I feel that my current setup is an acceptable compromise between security and usability.