MatMaul

By the way I am asking a lot of questions, it is not to annoy you but because I care I was an happy paying customer of LastPass and looked a bit elsewhere when their price went up , I could just have stayed on the free tier but I really like your simpler approach, and your extensive updated app ecosystem.

@Hemant Kumar I re read your first answer and I missed a lot of infos so sorry for the multiple unstructured posts and the possibly redundant questions, I usually do better. Last point regarding your point 1 for the cached json in sqlcipher : there is no way to purge this cache after closing the DB ? If so it looks like a huge problem in sqlcipher no ? It looks weird to me that a security oriented software can't zero out all clear text information when fully closing an instance.

I must say that I have no idea how Qt handle its objects deallocation so I am just asking if you "destroy" them correctly with the API on full locking, if so we can't do much as you said .

And I didn't check but this statement contradicts what you just said. Do you completely destroy the UI elements when fully locking or just hiding them ?

Ok great that it closes the DB in the full locked case. Can we have some details about how the PIN is handled right now ? is it stored in the encrypted DB and then compared since the DB is available ? or are you storing a hash of the PIN for comparison ? Both ? I am trying to think about a way to be able to close the DB in the PIN case but I need a bit more info. Thanks.

Are you clearing the UI elements and closing the SQLCipher DB when Enpass is locked (either PIN or fully locked) so we can't access the clear data in memory ? If yes I would say it is good enough, we can't do much against unencrypted data in memory while we are using the data. Edit: I misread it looks like it is also in clear when locked, not cool. It should be technically doable without too much changes to clear the UI elements and close the DB in this case.

Or not ? it is not marked as incompatible with F57+ for the standard app. If you can enlight me.

You can disregard my comments regarding not working with Firefox in Flatpak, it is probably related to the global incompatibility with Firefox 57+.

Nervermind, I just understood from your last blog post that there is a global problem with Firefox 57, even with the WebExtension. Waiting for the upgrade

What kind of checks do you do before authorizing a browser to access the vault ? If I download the static Linux build of Firefox Beta here: https://www.mozilla.org/fr/firefox/channel/desktop/#beta It doesn't work. Are you checking that the binary path is /usr/bin/firefox, or something else ? Works fine with packaged Firefox.

Hi, For Linux users I think it would make sense to release a Flatpak version of Enpass. Also currently Enpass Beta + Firefox Dev Edition in Flatpak + Enpass WebExtension doesn't work. I am able to curl the Enpass service from inside Firefox Flatpak (at least I get the same empty reply as when running the curl from outside) so I guess there is some validation happening from the Enpass app that doesn't work.

Currently the field names of an item are not standardized, so depending of the language it can be for example "Username" or "Nom d'utilisateur" in French. And if I import from LastPass it would be "username" without capital. I think it would make sense to use the keyword "username" in your SQLCipher DB and then translate it at display depending of the language. Currently it makes the data inconsistent between elements depending of if they are imported or in which language they are created. It also make scripting of anything (from an export in CSV for example) really tedious.