I’m using the Master password together with a Key File.
If I remove the Key File I can’t login – as expected. However I stil can see the location and the name of the Key File.
Disabling the selection of the Key File does not change this behavior. After I restart the location and the filename are
shown again. Is there a way to hide the location and filename in this type of operation.
I understand that I have to select all times the Key File by using it this way but the benefit in my opnion is that if somebody
manages to find your Master password (keylogger) it will be still very difficult to find out which Key File needs to be used.
KInd regards
abw24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If someone can find your password they can probably find the key file as well. The idea is to have the key file away from the database, e.g. on a USB stick / phone.
To turn off the saving of the key file location, select Tools > Options > Advanced, scroll down to Advanced and untick "Remember key sources".
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I agree with the OP on this; I avoid using the Key File feature because of this, despite the additional security it might bring, because in many cases allowing others to obtain the name and location of the Key File can be almost as bad as allowing others to have the Key File itself. I thought I had made a Feature Request a few months ago to allow a more permanent disabling of KeePass's ability to remember Key File locations, but I can't find it right now.
Then again, this change may not be as simple as it appears, so long as the option for remembering is still present, because I can easily envision a scenario like this:
Patsy Doe uses KeePass with remembering off, but one day, Nelly McNasty "borrows" Patsy's computer for a few minutes. Nelly runs KeePass, and while she can't currently view Patsy's .kdbx file(s), she can and does adjust Patsy's KeePass configuration to turn remembering on. The next day, Patsy uses KeePass as usual, and afterward, Nelly comes back, fires up KeePass again, lets it tell her exactly where Patsy's Key File is, copies that file, and turns remembering back off without Patsy ever realizing that her passwords are now significantly less secure than she thinks.
@Paul:
Some of us don't want the burden of having to remember to carry around a USB key; while I realize that some of us require that level of security, others will only use those security features that don't unduly (in their opinion) inconvenience them.
Last edit: T. Bug Reporter 2014-10-21
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I see your point and as with everthing it has pro's and con's. I have KeePass installed on an USB stick and the KeyFile on another USB stick stored on another location. I never ever use this outside and nobody is ever using my computer except myself.
The thought behind my question is that if somebody manages to find out my Master password (Keylogger or burglary) that he or she only has a part of the key and that before this person may find out which KeyFile needs to be used (I have a couple of hundred in various maps on the KeyFile USB), with a little bit of luck I still have the time to take some action to avoid further damages. Have to overthink this. Anyway learned another thing "First check the Options".
Thanks again.
abw24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This request has less to do with security but with to not letting people who use your computer that easily find your database AND key file. The question is how to hide it?
a) by encrypting it for lets say the sha256 of "keepass.xml.config" for e.g.
b) by simply doing a base64 encoding
c) any other algorithm
This is not about making this completely water proof. Which imho isn't possible. But what do applications for e.g. do which have to encrypt a user password within their settings. It's exactly the same problem.
Last edit: chaos2oo2 2014-11-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I’m using the Master password together with a Key File.
If I remove the Key File I can’t login – as expected. However I stil can see the location and the name of the Key File.
Disabling the selection of the Key File does not change this behavior. After I restart the location and the filename are
shown again. Is there a way to hide the location and filename in this type of operation.
I understand that I have to select all times the Key File by using it this way but the benefit in my opnion is that if somebody
manages to find your Master password (keylogger) it will be still very difficult to find out which Key File needs to be used.
KInd regards
abw24
If someone can find your password they can probably find the key file as well. The idea is to have the key file away from the database, e.g. on a USB stick / phone.
To turn off the saving of the key file location, select Tools > Options > Advanced, scroll down to Advanced and untick "Remember key sources".
cheers, Paul
I agree with the OP on this; I avoid using the Key File feature because of this, despite the additional security it might bring, because in many cases allowing others to obtain the name and location of the Key File can be almost as bad as allowing others to have the Key File itself. I thought I had made a Feature Request a few months ago to allow a more permanent disabling of KeePass's ability to remember Key File locations, but I can't find it right now.
Then again, this change may not be as simple as it appears, so long as the option for remembering is still present, because I can easily envision a scenario like this:
Patsy Doe uses KeePass with remembering off, but one day, Nelly McNasty "borrows" Patsy's computer for a few minutes. Nelly runs KeePass, and while she can't currently view Patsy's .kdbx file(s), she can and does adjust Patsy's KeePass configuration to turn remembering on. The next day, Patsy uses KeePass as usual, and afterward, Nelly comes back, fires up KeePass again, lets it tell her exactly where Patsy's Key File is, copies that file, and turns remembering back off without Patsy ever realizing that her passwords are now significantly less secure than she thinks.
@Paul:
Some of us don't want the burden of having to remember to carry around a USB key; while I realize that some of us require that level of security, others will only use those security features that don't unduly (in their opinion) inconvenience them.
Last edit: T. Bug Reporter 2014-10-21
Thanks Paul & T.Bug,
I see your point and as with everthing it has pro's and con's. I have KeePass installed on an USB stick and the KeyFile on another USB stick stored on another location. I never ever use this outside and nobody is ever using my computer except myself.
The thought behind my question is that if somebody manages to find out my Master password (Keylogger or burglary) that he or she only has a part of the key and that before this person may find out which KeyFile needs to be used (I have a couple of hundred in various maps on the KeyFile USB), with a little bit of luck I still have the time to take some action to avoid further damages. Have to overthink this. Anyway learned another thing "First check the Options".
Thanks again.
abw24
This request has less to do with security but with to not letting people who use your computer that easily find your database AND key file. The question is how to hide it?
a) by encrypting it for lets say the sha256 of "keepass.xml.config" for e.g.
b) by simply doing a base64 encoding
c) any other algorithm
This is not about making this completely water proof. Which imho isn't possible. But what do applications for e.g. do which have to encrypt a user password within their settings. It's exactly the same problem.
Last edit: chaos2oo2 2014-11-02