Jump to content
jankkm

Master password unlocks all vaults

Recommended Posts

This is something I already mentioned on the macOS thread but since it is more about the general design of Enpass I decided to open a new thread about it.

It seems like with the support of multiple vaults you took the approach that 1password took as well to let the user unlock all his vaults with one master password which is the password of the primary vault. Am I right so far?

Now, I think for some users this might be a good solution but for me one  reason for using multiple vaults is that I want to have one or more vaults that I only want to unlock very rarely because the passwords are sensitive and/or not often used. The way that Enpass6 works now, it makes it a little better because I can sync my default vault and store the "sensitive" one only locally but I think you should give us, the users, more of a choice here.

I am very interested how others think about this.

Share this post


Link to post
Share on other sites
4 minutes ago, chiwou said:

does the other vault also unlocks even with a different password?

No, only the password of the primary vault is able to unlock everything. The passwords of the other vaults seem to be stored encrypted with the password of the primary vault.

edit:

sorry I think I got you wrong but my answer should still help. The vaults have different passwords but if you unlock the primary vault every vault is unlocked.

Edited by jankkm

Share this post


Link to post
Share on other sites

its happening with me also on Windows 10 that master password unlocking all vaults although passwords for other vaults are different, please fix this issue otherwise its no use to have multiple vaults.

Share this post


Link to post
Share on other sites

Hey @jankkm 

Thanks for the input.

I would like to share that Enpass 6 is designed to be used for a single user who is using different vaults to manage his personal and work data. So unlocking of other vaults with the Primary vault makes sense.

Further, it is only the Primary vault where the passwords of other vaults get stored so that you don't have to remember them, and that goes well with the purpose of Enpass. When you unlock the Primary vault, all other vaults get unlocked by fetching their passwords from the Primary vault. 

On 9/23/2018 at 10:09 PM, jankkm said:

The way that Enpass6 works now, it makes it a little better because I can sync my default vault and store the "sensitive" one only locally

For this, you can create a second vault and keep its sync disabled. You don't need to worry about the storage of its password in the Primary vault as it is encrypted with the master password of your Primary vault and no one can access it without the master password of the primary vault.

Thanks!

Share this post


Link to post
Share on other sites
5 hours ago, Anshu kumar said:

Hey @jankkm 

Thanks for the input.

I would like to share that Enpass 6 is designed to be used for a single user who is using different vaults to manage his personal and work data. So unlocking of other vaults with the Primary vault makes sense.

Further, it is only the Primary vault where the passwords of other vaults get stored so that you don't have to remember them, and that goes well with the purpose of Enpass. When you unlock the Primary vault, all other vaults get unlocked by fetching their passwords from the Primary vault. 

For this, you can create a second vault and keep its sync disabled. You don't need to worry about the storage of its password in the Primary vault as it is encrypted with the master password of your Primary vault and no one can access it without the master password of the primary vault.

Thanks!

Thank you @Anshu kumar for clarifying that this is the way you want to go with Enpass.

I still don't agree that it makes sense in every case and also about not having to worry about security. With this design every vault is only as secure as the primary vault passphrase wise. You are right that I can disable sync for a vault which means it is secure on the storage device/service I am syncing with but on my PC/Mac I have to use a passphrase on the primary vault that is at least as secure as the passphrases of the other vaults if I don't want to sacrifice security.

I think this doesn't make sense because the passphrase of the primary vault is the one I have to type in very frequently so I don't want it to be too complicated and long but if the more complex passphrase of a separate vault is stored in that primary vault, again, the added security of the separate vault is gone (again, only locally).

Also I like to use the PIN after typing in the passphrase once which weakens security in favor of convenience. It would be irresponsible to do this if the security of every vault depends on that PIN.

I think it shouldn't be too hard to allow vaults that have to be unlocked individually and it would help a lot!

I hope you understand my concerns and think about this again. Especially considering that 1Password has exactly the same weakness and quite a few users who are unhappy with it (https://discussions.agilebits.com/discussion/56271/individual-unlocking-of-secondary-vaults-gone-in-1password-6).

Edited by jankkm
  • Like 1

Share this post


Link to post
Share on other sites

I totally agree with Jankkm, please give as option to unlock secondary vaults with their own passwords or with master vault password.

Share this post


Link to post
Share on other sites

I would argue that as creating as there is an option when creating a vault to store the vault password in the master vault (i.e. you can chose not to), and it is possibly to delete the vault password entry later (and presumably also re-create it), I would argue that automatic unlocking of secondary vaults should be based on which passwords are stored in the master vault.

i.e. if a secondary vault password is store in the master vault, then that secondary vault is automatically unlocked; if the secondary vault password is not stored, then that secondary vault is not automatically unlocked.

Matthew

Share this post


Link to post
Share on other sites

@Anshu kumar

I agree with @mdovey also, and strongly encourage some thought in providing the option to store vault passwords in the master vault or or not to provide better flexibility and security. Thanks for your consideration.

Share this post


Link to post
Share on other sites

Yes I very much agree: please consider changing this so that there is an option that the secondary vaults stays locked even after starting the program with the master password, until the secondary vault’s own password is entered.

As things stand now, it’s not entirely clear to me why there’s any advantage whatsoever to the app’s ability to give a secondary vault its own password.  

On 11/12/2018 at 2:31 AM, Anshu kumar said:

“For this, you can create a second vault and keep its sync disabled.

So perhaps the advantage is that I can share a secondary vault but my limited research in the manual has left me with the impression that sharing the 2nd vault requires sending both the 2nd and master passwords but maybe I’m wrong.

Anshu, can you provide a simulated use example scenario showing, how things stand now, why the 2nd vault having its own password is useful?

Just as the writer who started this post, I want to be able to segregate data.  Ideally, not just in a separate vault but on a USB drive.  

I started to think that one (intended or otherwise) advantage of the app’s ability to give a secondary vault its own password, combined with the app’s ability to backup only selected vaults, would enable me to use the following not very desirable but still possible method to segregate data and keep it off my computer so that if I was somehow hacked, my most valuable passwords would not be exposed.   Not sure how much of a concern that is but obviously, as things stand now, if my master password is compromised, everything else is too.

Create sensitive data in a 2nd vault.   Backup the vault to a USB drive.  Erase the 2nd vault.   When needed, restore the 2nd vault.  

Most secure would be to unclick the box enabling saving the 2nd vault’s password in the primary vault, because otherwise someone wanting access to my 2nd vault data could get it if they had possession of the USB drive and my master password, even if they didn’t have the 2nd vault password, but by unclicking that option they’d also need the 2nd vault password.  

That is my understanding but hard for me to know for sure because when I went to test this I was very surprised to learn that “restore” and “local storage” seem to be as of now only available at the initial install of the app.  

Restore backup into the Enpass v6

  • If you already have some data in v6, you need to erase everything  (after taking a backup) from the Advanced settings of Enpass, or simply by uninstalling the Enpass on mobile devices.
  • Now you will be on the first welcome screen of Enpass v6, choose to restore Existing Data from Backup File → Local Storage and locate the downloaded backup

I very much hope the ability to restore without erasing everything is something that will be implemented soon!  

I hope that backup will eventually include the ability to selectively backup only new things created since the prior backup so that I can create a new secondary vault backup to a USB drive that combines those new things with the old things already on the USB drive, without having to restore or import the old things on the USB drive Empass first.  

Thank you.

Share this post


Link to post
Share on other sites

It would be nice to have an option to unlock all vaults or just the default one.

In my case in makes sense, because I store all my passwords in the default vault and my 2FA in a separate vault (because if someone gets my vault they still havn't my 2FA key).

Since I don't use often my secound vault, it can stay locked to have more security.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×