KMyers Posted January 1, 2017 Report Posted January 1, 2017 Good Morning, I know a few of us are using OwnCloud or NextCloud to host our password bank, it would be amazing if there was an OwnCloud/NextCloud Enpass Application to allow us to access our password bank without the need to install any software. This would be ideal for users who cannot install software (such as in a "High Security" Corporate Setup) or to those who are not using a computer they control. I know someone ported KeyPass's Keyweb to an OwnCloud app and it works, but not well enough to be my default password manager.
Vinod Kumar Posted February 17, 2017 Report Posted February 17, 2017 Hi all, Thanks for bringing this topic. Enpass encrypted data file is a SQLCipher database. It is not possible to decrypt it without native SQLCipher support in browser. And as far as I know none of modern browsers provide a native implementation of SQLCipher.
yce Posted March 1, 2017 Report Posted March 1, 2017 The browser doesn't have to support it, ownCloud/nextCloud is based on php, and it is possible to include sqlchiper in php as described here: https://www.zetetic.net/sqlcipher/sqlcipher-for-php/
Vinod Kumar Posted March 2, 2017 Report Posted March 2, 2017 @yce Transferring your master password or a derived key to server is a very bad idea (which is required in case of sqlcipher for php). It is best to do any encryption/decryption related stuff in a native app. If that is not a choice, next best would be to encrypt/decrypt on client side with javascript. User can be authenticated with server without sending master password using Secure Remote Password like protocol and encrypted data can be fetched from server and decrypt it in javascript.
yce Posted March 6, 2017 Report Posted March 6, 2017 Yes if the service is on an https protocol then there shouldn't any problem sending the master password to the server. But it would be also possible to add extra security by encrypting the master password with a public key on the client side (javascript) and decrypting it with a private key on the server. By doing so an attacker couldn't gain access to the master password even if it's not on a secure connection.
Recommended Posts