5

I used to use a master password and "Windows User Account" to get into my password datasbase with Keepass 2. Then I realized the "Windows User Account" option is garbage because if you ever want to upgrade, migrate, reinstall the OS then the database is lost. So now I use the master password and a key file.

My question is, where should the Key File be stored? I keep one copy on an external hard drive and another copy on Google Drive. My concern is, is Google Drive safe? According to here Google Drive encrypts all data but there are quite a few services that offer to encrypt data on Google Drive for you (are they just playing on the fact people don't know there stuff is already encrypted)? So is it safe if I upload the key file to Google Drive or is there further precautions I should take?

thefourtheye
  • 333
  • 2
  • 12
Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • I'd use a small usb device (memory stick or micro-SD with a reader). Easier to destroy/hide in case of emergency. – CodesInChaos Jan 21 '14 at 09:12
  • How easy is it to destroy a microSD card? I'd imagine you'd need a hammer, maybe, or more likely, a lighter. – MichaelGG Mar 02 '14 at 00:06
  • What goal do you aim for by storing the copy on Google Drive? The external hard drive (maybe backuped by, say, printing the file on a paper) seems enough to me. – Xenos May 12 '20 at 09:25

3 Answers3

4

I would store it on an external device that has no access to the internet and where it is safe from other people.

As for Google Drive's encryption: No, it is not safe. The data is transmitted using an encrypted connection and is stored on Google's servers using a strong encryption (presumably), but nothing prevents Google from handing over the key for the encryption used to other people. You never get to choose the encryption key, nor do you ever have access to it. If you have to store any data in "the cloud", use real end-to-end encryption (TrueCrypt, EncFS, ...) with a strong key.

However, I would not store any sensitive data in the cloud, even if it is encrypted. The best way of keeping any information to yourself is not to publish it in the first place.

Phil
  • 56
  • 2
  • 1
    So you wouldn't use password managers like Lastpass at all then? – Celeritas Jan 21 '14 at 08:59
  • It is, in most cases, not a matter of "will or will not", but of "how". I think they can be a great benefit for security if used correctly. Obviously, they are handy if it comes to choosing different, complex passwords for different services. The question is: Where do I store the database that contains the passwords and how do I secure it? It is generally a bad idea to store the database itself _or_ the key file online. I prefer an encrypted USB drive or any of the sort. It all comes with some risk, but you have to find a way between paranoia and usability. – Phil Jan 21 '14 at 09:06
  • I am actually having trouble deciding between Keepass 2 and Lastpass. Pros of Keepass 1)more secure because everything is kept local Cons 1)doesn't easily integrate into a web browser Pros of Lastpass 1)works on every computer with an internet connection 2)don't have to worry about backing up - all administrative work done for you cons 1)less secure as the passwords are in the cloud 2)can only be used for websites e.g. not really designed to hold passwords for programs or external hard drives etc. – Celeritas Jan 21 '14 at 09:11
  • 2
    Personally, I prefer [KeePassX](https://www.keepassx.org/). I tried LastPass a few years back, but I never really got the hang of it. KeePassX gives me the freedom to decide where I want to store my passwords and how I want to secure the database and key file. Also, it is published under the terms of the [GNU GENERAL PUBLIC LICENSE](https://www.gnu.org/licenses/gpl-2.0.txt). KeePassX also proviced an "auto-fill", feature which lets you automatically fill passwords from the database into websites, but I barely use it and do not want to give a recommendation whether one should use this or not. – Phil Jan 21 '14 at 09:18
  • I use KeePass and recommend it, or PasswordSafe. Since the encryption is good, if you have a good password you can back up your password file by the simple method of emailing it to a friend. – Ben Jan 22 '14 at 19:03
  • As for "doesn't easily integrate into a web browser" you should check out one of the many browser plugins for KeePass, including chromeipass, keyfox, passifox, CKP (Chrome KeePass), and probably others. – Ben May 19 '17 at 14:36
1

You can of course store and syncronize the database wherever you want. Just use strong encryption (AES 256) and a good Key Derivation Function (Argon2).

For the Key File, that you should always use in addition to a strong passphrase, I advice to NEVER store that in the same place of the database (it would be like hiding the key under your doormat). Instead keep your key file in a separated device like a USB, SD card that you can easily bring with yourself all the time.

Remember to store in a secure place (vault) backup copies of the key-file in variuos storage formats (CDs, USB stick, etc), and to change them all togheter.

Community
  • 1
refex
  • 351
  • 3
  • 11
1

I like to use my key file as a "trusted device" token. I never store it online anywhere. I have a copy stored on each device I use my database on, or on a USB stick I keep nearby that device.

On the other hand I sync my password database using Google Drive and have considered keeping an additional backup on Dropbox or something. But since my key file is never stored online, an attacker who somehow manages to grab my password database from cloud storage would still need to attack one of my local devices directly in order to steal the key file.

Ben
  • 3,846
  • 1
  • 9
  • 22