Hello Enpass-Team,
happy new year to you! I'm a very happy user of Enpass and it's perfect usability.
But since some week's I'm frightened about the usage of password-managers because of the released information regarding Meltdown and Spectre (CVE-2017-575, CVE-2017-5715 and CVE-2017-5753)
Especially Meltdown can lead to a dump of the Memory of Applications like Password-Managers, which are one of the most valuable targets! I know, that MicroCode-Workarounds for CPUs and OS-BugFixes are on the way, but I want to ensure, that you have implemented Enpass in a way, to minimized the possibility to extract our passwords via such vulnerabilities.
Can you please give us some information, how you protect our data against such issues?
For example:
When do you decrypt the passwords and store it in RAM? - When the user unlocks enpass, or when the user requests one specific password? Do you decrypt always all passwords or only the one which is requested? I know you use SQLCipher as backend. Does this mean, that always the whole Database is decrypted after unlocking enpass?
Please let us know some details. This is very important, especially as long as no audit of enpass exists.
Thanks in advance for you detailed explanation,
wachschaf