Ivarson Posted February 23, 2022 Report Share Posted February 23, 2022 When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. I am positive by that finding, and believe it could be highlighted in the manual or something (couldn't find it in https://www.enpass.io/docs/manual-desktop/Enpass-Desktop.pdf, it only seem to reflect quick unlock with TPM) The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. that's a huge security benefit if you're using Hello anyway IMHO. Link to comment Share on other sites More sharing options...
Manish Chokwal Posted February 25, 2022 Report Share Posted February 25, 2022 Hello @Ivarson, On 2/23/2022 at 3:37 PM, Ivarson said: When on a Windows-device with compatible TPM and the Hello-integration is turned on, it is possible to delete the Keyfile with the effect that only Windows Hello authentication will be possible. Enpass uses a Keyfile to add another layer of security. It appends the characters in the keyfile to the master password and uses them together to encrypt your data. On the other hand, Windows Hello is just another method to access Enpass data. Also, I have noted your request to highlight this in the user manual. In addition, if you have already created a key file for your Master password, it will be my strong advice never to delete it, even if you have Windows Hello activated. The reason is In case Windows Hello does not work for some reason, you will need to enter the combination of the Master password and the Keyfile If you wish to change your master password in the future, the keyfile will be required. If you choose to remove the keyfile permanently for the next time you log in to Enpass, e.g., using the Master password or Windows Hello, it will require a Keyfile. On 2/23/2022 at 3:37 PM, Ivarson said: The keyfile of course still has to be stored somewhere safe, but it doesn't have to reside or be visible to the target machine during everyday usage. A Keyfile is asked while login into Enpass, and it is not mandatory to store it on the target machine only. It can be kept in any location you choose, such as a Pendrive, an email, or a Cloud Account, not necessarily on the target machine. Link to comment Share on other sites More sharing options...
Ivarson Posted February 25, 2022 Author Report Share Posted February 25, 2022 I understand this, what I'm saying is that you're missing a point with what Hello can achieve. Conscider this; I am an 'advanced' user on Windows-device. I set whatever security i can for my Enpass, a master password with fairly high entropy and a Key-file. I activate Windows Hello with full compatibility (TPM 2.0). I make sure to have a second copy of the keyfile stored safely (maybe on a USB-drive locked into a safe, or whatever) as well as remembering the master password. I make sure any local copies of the keyfile is deleted. Now Enpass is limited to Windows Hello's framework and the 'masterpassword' is safely stored in the computers TPM and can't be extracted. Anything above everyday operations, like changing passwords, exporting vaults would indeed require that keyfile + masterpassword. The keyfile on the other hand would have much higher risk of being compromised, copied or stolen etc. It's not a revelation, i just think people should be aware that the keyfile shouldn't be needed atrest permanently on a Windows-device as long as you have it stored safely somewhere else. This is a upside especially until you've implemented Yubikey-support (a real secure element), if that's still on the roadmap.. Link to comment Share on other sites More sharing options...
Manish Chokwal Posted February 28, 2022 Report Share Posted February 28, 2022 Hello @Ivarson Thank you for your suggestions. I have shared it all with the concerned team for further consideration. Your patience is highly appreciated here. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now