0
The securest way to use keepass is to separate the key file and the DB.
My first idea was to use a USB/flash card with the key file as just like a regular key (and DB on dropbox), but Apple does not like external storage devices.
So only Cloud or Internet solutions can be used. Once authenticated by iOS generally any one can access dropbox, Google Drive etc. because those account are handled by iOS (at least if you want your mobile experience at least a bit easy)
My workflow now is insecure both files are on dropbox. Using an SFTP server on my local network would work, but would as far as I know it is too troublesome to access it from the Internet (no fixed IP) and I'd rather not open my local network at all to the Internet.
After this way too long intro my practical question is, does any one know a good secure workflow for keepass2 DB and key files for all my devices desktops and mobile devices (iPhone/ipad)?
A solution where I don't need a lot of passwords to login to services to get my passwords.
EDIT:
I've reread some of the documents of keepass: http://keepass.info/help/base/security.html
In order to generate the 256-bit key for the block ciphers, the Secure Hash Algorithm SHA-256 is used. This algorithm compresses the user key provided by the user (consisting of password and/or key file) to a fixed-size key of 256 bits. This transformation is one-way, i.e. it is computationally infeasible to invert the hash function or find a second message that compresses to the same hash. Key Derivation: If only a password is used (i.e. no key file), the password plus a 128-bit random salt are hashed using SHA-256 to form the final key (but note there is some preprocessing: Protection against Dictionary Attacks). The random salt prevents attacks that are based on pre-computed hashes.
When using both password and key file, the final key is derived as follows: SHA-256(SHA-256(password), key file contents), i.e. the hash of the master password is concatenated with the key file bytes and the resulting byte string is hashed with SHA-256 again. If the key file doesn't contain exactly 32 bytes (256 bits), they are hashed with SHA-256, too, to form a 256-bit key. The formula above then changes to: SHA-256(SHA-256(password), SHA-256(key file contents)).
If i understand this correctly both ways, password only and password + key file, result in one 256 bit "key/hash". So the strenght of the DB is the same, as long as you have a good password. So the extra strenght comes from the fact the attacker needs your key file to complete the 256 bits.
Also given the dictionary attack counter measures mention in the link, Can I conclude that given a proper password the extra security from the key file does not outweigh the inconvenience in this particular case ?
CodeRogier
Posted 2016-08-25T12:44:43.187
Reputation: 71
1Why use a key file in the first place? – Daniel B – 2016-08-25T12:50:29.857
You are asking an off-topic question. Please read On-Topic, How do I ask a good question? and What types of questions should I avoid asking?
– DavidPostill – 2016-08-25T12:54:27.857http://apple.stackexchange.com/ (and delete this question) – DavidPostill – 2016-08-25T12:55:13.003
As far as I've read the combination of the two is the most secure. If this is not the case then why the key file in the first place. And if your correct then this would indeed be a good solution. – CodeRogier – 2016-08-25T12:56:33.923
sorry this is not just apple, it is a problem for all devices that do not support external storage susch as a usb or flash. I just happen to have a apple product. but the problem stil holds. – CodeRogier – 2016-08-25T12:58:34.593
I'm facing the same issue, both key and db is on my dropbox. However, I tell myself it's slightly better than just having a password because the attacker would still have to locate the key file in my dropbox. Sure, a
*.keysearch would find it rather quickly, but a random idiot who gains access to my phone might not think about it... my password is pretty secure though, it's insanely long and not used anywhere else, and I update it yearly (whenever KeePass starts to nag me... :) ) – KEK – 2016-08-25T13:05:02.653