-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [Please don't top-post.]
On 2017-01-26 20:21, [email protected] wrote: > I think it would be not very practical to have keepass database in > the vault I disagree. I've personally found it extremely practical after years of daily use. > and it should be secure to keep it together with the browser if you > encrypt it with a keyfile and a password. On the other hand, the > keyfile should be in a secure place and then maybe it would make > sense to have something like GPG split. > No, because if that BrowserVM is ever compromised, then the next time you supply your password+keyfile, it has permanent access to the entire database. This also limits the database to that single BrowserVM. > What do you guys think? Does this make sense to you? > I agree with Marek and Joanna. The standard model of having a password manager in a VaultVM and using the inter-VM clipboard is superior. It allows you to selectively expose individual passphrases to particular VMs of your choosing without ever having to expose the whole database. It's time-tested and works well. > Em quinta-feira, 8 de janeiro de 2015 07:27:04 UTC-2, Joanna > Rutkowska escreveu: >> On 01/08/15 01:33, Marek Marczykowski-Górecki wrote: >>> On Wed, Jan 07, 2015 at 04:00:30PM -0800, Eric Shelton wrote: >>>> I am curious how people are making effective use of Keepass >>>> in a vault domain. It seems like with a browser plugin, you >>>> might be able to take a Split GPG type of approach, and avoid >>>> all of the cutting and pasting across domains. Any comments >>>> or suggestions? >>> >>> Personally I use manually Ctrl-C + Ctrl-Shift-C, then >>> Ctrl-Shift-V + Ctrl-V. After some time it is very fast in >>> practice. >>> >>> Using some Split GPG approach would require either: a) some >>> policy which VM can get which password - this can be somehow >>> complex and error-prone in more advanced setups b) separate >>> vault VM for each browser VM; which is almost the same as >>> simply password stored in that browser >>> >>> Note that, unlike GPG case, when you give a VM access to some >>> password, it can freely stole it and send wherever it wants. >>> >> >> Yeah, I don't see much benefit in using the split model for >> something like passwords. It really makes sense for asymmetric >> crypto or other challange-response protocols. >> >> joanna. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYiwMBAAoJENtN07w5UDAwkGIP/R4gfILPg55fXmEHnROPy3Hs drTxBAirdSe/+PuPjuSYUXdiKgVJd7ggTrW/PPIBZxcYFP2fk/EOdUn91VdQPZa1 NjrgakD2AULG1m6keHmSnr6SA1YRq8LFJwIKvanhqtIVMUxD3HIh2oZ65O6Z9fDY nEQlEXTj1yfwfWRYsc4JORL1y3ESmOTEQJjmpswm5QuFpU/w7PUvg1Id2xg0P3Zy j7YK/LiEBUxZdSG8bxYsu/4zvomPXoYTX3xyfQcWY4ZYiVltoR9sYhjJzGxMvwlv SDkO2B+t8B3tSmju7xCR3evRn4NCLiWL4+WNj2tCj+d1L8swCzKNRGryjCctn2Rn qlslhcdBFq/WIKAl/OX0anR4Wmq5pa2lsPB+XYLRtrx6oyuBLyVAd9z/omGQlP9V n9ZAIbzCDbfJNLVXLWXK+2xNZK7+QuipGjem7rzeLGN/S1wiP0weueFlR1hoXtJq /n6alYvX2Nw+S0jKveVTLNco8AhTL9xGnFaFKiJ2zRQSXC/fJWRkR4d4Eo7zh2nn WPjM0V3r7HrHjzFHReywrxhqkJVo4pzOiW32tsiZkfZaPUmPORkJiqE6pRudw90Y O/7m8GNNR3EvzjrwP28z9slT0IDf5H27tbDd8UMJBrvbTJkABOSFOlM7IrJrSKp7 LZRKIwr3+0IV59lwpn3m =k7qw -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e06f103f-d410-801c-78b0-6860f258e9e4%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
