Ivarson

https://www.enpass.io/docs/manual-desktop/security.html#clear-clipboard

Like in this instance, what's the cause and what's the purpose of suspending sync demanding "approval" hidden in the vaults settings. The same amount of items, only that the cloud-vault was changed from another source, which is the whole point of sync. And the same now has to be done on other Enpass-installations sharing that vault. See the "red" ring around the icon next to the vault-name? me neither.

That limit is to support very small dataset for free, it's probably not a priority for Enpass to allow user to provide configuration for that, it would require database-scheme upgrade for all users just to support free users. Having more than 20-25 items is meant to lead to subscription

There's a clear warning when there's no internet access and sync fails, a red banner at the top. But when there's a sync conflict in a vault, there's only a red spinner top left that flashes vaguely in red. In Android app it's even hidden until you use the flyout menu. If I where to get my parents to use Enpass, they would never even notice that and their vaults wouldn't be synced. I don't even understand why the user has to intervene here, and press "Merge" since there are no options. But if it's needed at least make it pop out

There seems to be a glitch in Enpass, where it doesn't lock during System Lock (Win-key + L) even it the setting is applied as shown below. The bug occurs (for me) only if I initially unlock Enpass through the Helper Window in System tray. If I initially unlock via the main Windows, the "System lock" works as expected. Enpass 6.7.4 (934) Windows 11 21H2 Fulltime Windows Hello-activated

Depends on your personal circumstances and preferences, but you won't have to input your password nor have the keyfile persistently available which reduces the risk for keyloggers or exfiltration of the keyfile. But your computer still needs to be secured of course, and while the tpm guarded password would be tied to your one computer, keeping it physically secured and prevent people from looking over the shoulder becomes more important as a simple 6 digit code could log you on to the computer and also access Enpass. Enpass themselves wouldn't "recommend" it, I assume this is because they can't guarantee the functionality for Hello since it's a windows function, Enpass merely uses it. But if your password and keyfile are safely stored you should be fine. But I would recommend that you occasionally try to unlock with password +keyfile to ensure function.

The keyfile is part of the encryption and decryption of the primary vault, hence it needs to be present all the time. Worth to mention that any additional vault using a keyfile will save that password AND key file in the primary vault. Also, a virus that's gotten foothold in your box means your pretty much toast anyway, but to make it a bit harder you should read my post here Just make sure you still store the key file safely as it will still be needed, it just doesn't need to lay around..

Exports shouldn't be done if you're not switching password manager. I would simply create a new vault, set it up with a dedicated cloud sync, and then copy items from all vaults there. If you've been good and using unique passwords everywhere you'll also be able to spot potential duplicates via Audit > Identical Passwords

On desktops, there's a option to backup vaults automatically. So if you're a mobile + desktop user you're covered. However in the mobile apps there's only possibility to backup manually. Phone-only users therefore has an increasing risk of non-recoverable situations if something happens, could be them doing stuff wrong or you end up scrambling the vaults. Synchronization is not a backup. Please add scheduled /auto-backup in mobile apps

... and away

I understand this, what I'm saying is that you're missing a point with what Hello can achieve. Conscider this; I am an 'advanced' user on Windows-device. I set whatever security i can for my Enpass, a master password with fairly high entropy and a Key-file. I activate Windows Hello with full compatibility (TPM 2.0). I make sure to have a second copy of the keyfile stored safely (maybe on a USB-drive locked into a safe, or whatever) as well as remembering the master password. I make sure any local copies of the keyfile is deleted. Now Enpass is limited to Windows Hello's framework and the 'masterpassword' is safely stored in the computers TPM and can't be extracted. Anything above everyday operations, like changing passwords, exporting vaults would indeed require that keyfile + masterpassword. The keyfile on the other hand would have much higher risk of being compromised, copied or stolen etc. It's not a revelation, i just think people should be aware that the keyfile shouldn't be needed atrest permanently on a Windows-device as long as you have it stored safely somewhere else. This is a upside especially until you've implemented Yubikey-support (a real secure element), if that's still on the roadmap..

When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM) The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. that's a huge security benefit if you're using Hello anyway IMHO.

Keepassxc-style HMAC1 challenge/response for the win!

I don't get why this hasn't been done way back. Especially for a software being developed behind closed curtains this is the only way to keep users up2date with expectations as well as letting them steer direction. I've suggested this over two years back and it's probably in the forums here as well

What Enpass Beta are you after? From what I can see, there's no beta version newer than the Stable enpass release (Stable 6.7.4, Beta 6.7.2) Not using that repo myself, are they not up to date? https://www.enpass.io/support/kb/general/how-to-install-enpass-on-linux/

Is this any closer than on a to-do-list?

The version available on Microsoft Store uses a modernized icon, should you be able to use that.

Totally off-topic, but what are those applets called showing your network\cpu\mem-stats in system tray?

That feature has been in Enpass for quite some time.. https://www.enpass.io/docs/manual-desktop/share.html

I know. But still.. it worked without any noticeable glitch when I used it (before it was completely disabled). It would be one thing if only provided UWP /Modern theme for windows but since your shipping Enpass with classic and modern theme engine, I'd be thrilled if you could provide light /dark color schemes for both. Thanks

Can this be reconscidered? I really fancied the Classic theme with dark mode. being on multiple desktop platforms it also feels nice to have the same UI

nope, the developers decided that one vault should be the entry point for any additional vaults. It's a bit odd design and assumes that a user _always_ has and wants a primary vault to be opened prior to any additional. it does speed up the flow of unlocking if you're having many vaults since you only have to explicitly unlock the primary vault, while it might not be saught after to upon your personal vault to reach eg. company shared vaults. To open vaults individually, the easiest method today is to run the portable version, choose not to save the vault-paths, and then use the Browse-button upon each launch of Enpass Portable, albeight a pretty clunky method. I'd advice you to post a feature request (if you haven't done that) if you want this to be easier.

Yes. Sync is gonna work fine. You'll loose some audit stuff like breach detection and 2fa checks

That's a nice digging from your side, thanks for sharing.

Assuming you are actually syncing the same vault and its visible in Enpass, the Automatic sync is triggered like 5 seconds after you've changed an item. There's also some auto-sync when Enpass is opened, like 30 seconds maybe (not sure).. If you want to sync manually on a Windows PC, you can hit Ctrl+J or find "sync now" in the apps menu.. If the other dude set Enpass not to show up in the System tray and closes Enpass too quick after editing an item, then indeed they won't have time to sync..