Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support unlocking the same database in multiple ways #11582

Open
1 task done
zyzhu2000 opened this issue Dec 21, 2024 · 2 comments · May be fixed by #10311
Open
1 task done

Support unlocking the same database in multiple ways #11582

zyzhu2000 opened this issue Dec 21, 2024 · 2 comments · May be fixed by #10311

Comments

@zyzhu2000
Copy link

zyzhu2000 commented Dec 21, 2024
edited
Loading

Have you searched for an existing feature request?

  • Yes, I tried searching

Brief Summary

Background

KeepassXC and compatible apps support several ways to unlock a database: 1) master password, 2) quick unlock, and 3) Yubikey. However, these methods of unlocking are not equally usable on different platforms. For example, it is both secure and convenient to use a long master password along with Quick Unlock on iPhones and Windows computers, because the long password makes the database secure while Quick Unlock with Face ID/Windows Hello uses the TPM to make unlocking fast and convenient without compromising security. By contrast, using the Yubikey with iPhone is insufferable because its NFC interaction with the phone is extremely unreliable. Yet on a Linux platform, since there is no Quick Unlock backed by TPM, entering a long master password would be inconvenient while a short password would be insecure. Using a Yubikey with a short password achieves both security and convenience. The problem is that you can only choose to use Yubikey or not use Yubikey and so you can only have a happy experience on certain platforms.

Proposed Solution

I propose that we make the same database to be unlockable by several different methods. In other words, the same database can have several master passwords, and some are used along with the Yubikey and some are not. I am not sure it is going to break the KeePass format, but theoretically the implementation seems easy -- we only need to encrypt the database with a randomly generated key, and then each master password can be used to encrypt this key. This means any master password can be used to decrypt the key, which can be used to decrypt the database.

Example

Encrypt the same database in two ways:

  1. Long master password
  2. Short master password + Yubikey

I can use #1 on iPhone and Windows, and #2 on Linux to work with the database securely and conveniently.

Context

No response
@droidmonkey
Copy link
Member

This is already worked through this PR: #10311

I'll connect it to this issue

@droidmonkey droidmonkey linked a pull request Dec 21, 2024 that will close this issue
Open
@zyzhu2000
Copy link
Author

That's perfect. I may also have found a limited workaround using Automatic Database Opening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Groundwork to support flexible multifactor database authentication and FIDO2 BryanJacobs/keepassxc
2 participants
@droidmonkey @zyzhu2000