Jump to content
Enpass Discussion Forum

Steve Hansen

  • Posts

  • Joined

  • Last visited

Steve Hansen's Achievements


Newbie (1/14)

  • Week One Done
  • Reacting Well Rare
  • First Post

Recent Badges



  1. @Fadi the guys at KeePassXC (similar situation), can hopefully explain it better than me, found 2 relevant parts in their FAQ: https://keepassxc.org/docs/#faq-yubikey-howto (so you can use a yubikey to add some extra protection, but you'll have to backup that key in secure location, and bricking your key will result in a lost database, from a UX point I wouldn't enable it like this, you could have multiple keys with the same secret https://keepassxc.org/docs/#faq-yubikey-multiple-yubikeys so that would be something I could do, but you'll still need keep a backup of that key) https://keepassxc.org/docs/#faq-yubikey-why-hmac-sha1 this also confirms my "protecting an external service"
  2. hey @Fadi it's just not technically possible to protect a local file like that, you can only use a secure long master password for symmetric encryption, where a local keyfile can be used for extra entropy. Totp/fido/email magic links/... are all features that can only be used when protecting an external service. For your information, directly from the Bitwarden documentation: https://bitwarden.com/help/external-db/ if you self host it, you are just connecting to a Microsoft MSSQL database, so with the sa password you'll also have access to all your credentials (encrypted but just the same as having an enpass database). SQL server has features like TDE to encrypt data at rest, but they will also only protect the file outside the system, because if the SQL server didn't have the key to unlock it, some DBA would have to enter a password every time the database instance was restarted. And SQL server's Always Encrypted just moves the key outside the database instance, to the application layer, which will also need to know the key that is used. FIDO U2F can not be used for symmetric encryption: https://security.stackexchange.com/a/105808/71765 which also makes sense, otherwise your whole database would be lost when it works like that, and they always recommend having a spare key, because they don't actually encrypt the data just provide a secure attestation certificate.
  3. I'm sorry @Fadi but how can 2FA protect a local encrypted file? It's just a fixed key that is used to generate a unique 6-digit number each 30 seconds, there is nothing with 2FA that could possible add any protection to locally encrypted files.
  • Create New...