When you work in a company or in a team someday it happens that you need a secure and flexible solution for password sharing. Until the team is big it is usually sufficient to have one or more keepass databases. However while team is growing it becomes clear that something more flexible is needed.
There are quite a few known solutions for central password management nowadays however these all have one "issue by design" - they use centralized database encrypted by the single master key, so:
- if the server is hacked then all of passowrds are in hacker hands
- if the server is unreachable then nobody have access to any of passwords
I would like to share a concept aimed to fill this gap and hopefuly this or something similar will be implemented in KeePass someday.
The main idea is not to have a central database with a single "master key" but having user databases encrypted by their own keys that contain only passwords that they need to access. And the central storage is only used for sharing passwords. Passwords are encrypted by the "issuer key" i.e. by the key of the person who changed added or changed a password recently.
Please have a look at the attached image.