Secrets management with KeePassX

To say that using some way of password management these days is unavoidable is nothing new and dozens of articles were written on that. But for the needs of personal security policy I'll try to put a reasonable summary here based on my experience.

KeePassX

This is my secrets manager (much more than password manager) - of choice. Why secrets? I'll discuss that in a moment. And why KeePassX? First of all it's open source free software. It will never be enough to repeat: you cannot seriously talk about security in anything that is not open source¹⁾. It's also proven and cross-platform. Although a newer KeePass 2 that is slightly more versatile can be run on GNU/Linux with mono, it has display issues related to font width in password input boxes which is rather confusing. Also Linux version cannot export data to KDB v1 format. That's why I stick to KeePassX.

As for online services like LastPass - I definitely would not trust such solutions, especially in post-Snowden, post-Lavabit-shutdown era²⁾. I also experienced a sad case with a Polish free email provider around ten years ago: my whole account disappeared without the trace, evaporating two years of my communication. The login name became free, I even set up another account under the same name. I did not violate the TOS, but since I was not a paying customer, their support generally ignored the issue, responding "sorry, it will happen sometimes, we do not back up mailboxes". I'm not going to risk that with all my online access data.

It only begins with passwords

Why have I mentioned secrets manager at the beginning of this post? Because there is much more than just passwords that can - and definitely should - be stored in a secure manner that KeePassX provides. What else to put in as text notes and file attachments?

• Security questions and their answers for password reset feature. You would not use "green" for your password, so think twice filling that reminder form upon registration. Yes, my mother's maiden name is oGIt0KDJpj.3w*Lg5CTV0subSWc if you really wanna know. And if an online service allows me to set up my own question, try your social engineering skills to find out what was the colour of my first nT8c%pladh#Uas6?
• GPG private keys as well as their passwords. Note: if you use pinentry (eg. with Enigmail) then Auto-Type feature of KeePass will save you from manual patching. It works nicely after increasing the pre-gap timing in advanced settings to something over 2000ms
• Encrypted volume header backups, disk geometry and filesystem data. This may save your life in case of eg. partition table/volume header/superblock damage. It's also necessary if you have backup of your data made with rsync or duplicity but want to restore your exact partition schema. For a typical Linux setup I would include LUKS header backup, vgcfgbackup for LVM, RAID mapping data, output of dumpe2fs, sfdisk -d and blkid.
• A VPN connection settings/certs for your VPN (you have one, right? If not, set up one using OpenVPN or get one). Imagine you are forced to use a liveCD system in an untrusted network like a hotel WiFi. Just install the required VPN client in live system, import the settings and breathe a sigh of relief.
• Proven, tested instruction on how to restore data using your backup software - this is equally important to having in place all passwords, SSH keys or other means you need to access the backup archive itself.

Yes, it is a lot of data. It's worth compressing the attachments and use separate database files for various stuff. At this point let me remind you some classics on password strength and reuse.

Mom, please put this on the shelf and undust once a week

The worst you can do is have the only copy of backup decryption keys inside the encrypted backup. Also KeePassX's bug or a power outage may thrash your KDB file. Before it happens, make a few external copies. Put one of them on a CD or flash drive and keep it in a bank vault, in your office or a relative/friend's house - offline and offsite.

_______
1) In this case it's a direct quote from Emil Ivov of jitsi project, taken from a session at FOSDEM 2013 - see the video here.
2) Lavabit was a privacy oriented email service used by Edward Snowden. Its founder decided to close the business rather than jeopardize the privacy of his 350k customers by following the secret court order and giving up SSL encryption keys to the authorities that wanted to access Snowden's correspondence. His case has become just one more proof that governments will breach privacy on mass scale unscrupulously even when targetting an individual.

Categories

• gpg (1)
• jug (1)
• kraków (1)
• linux (2)
• oktawave (1)
• otp (1)
• personalsec (2)
• polski (1)
• prezentacja (1)

Archive

• December 2015 (1)
• November 2015 (1)
• January 2014 (1)
• December 2013 (1)
• November 2013 (2)

Links

• Szydełkiem wykreowane

Copyright © 2013-2015 Karol Szafrański. Licensed under CC BY-SA, see details. Powered by BlazeBlogger.