-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-05-09 14:54, cooloutac wrote: > On Tuesday, May 9, 2017 at 1:40:03 AM UTC-4, Andrew David Wong > wrote: On 2017-05-08 23:47, cooloutac wrote: >>>> On Tuesday, May 9, 2017 at 12:47:11 AM UTC-4, cooloutac >>>> wrote: >>>>> On Sunday, May 7, 2017 at 12:33:54 PM UTC-4, >>>>> [email protected] wrote: >>>>>> On May 7, 2017 10:39:22 AM CDT, Andrew David Wong >>>>>> <[email protected]> wrote: >>>> On 2017-05-07 10:32, [email protected] wrote: >>>>>>>>> On May 7, 2017 10:23:54 AM CDT, Andrew David Wong >>>>>>>>> <[email protected]> wrote: On 2017-05-07 10:10, >>>>>>>>> [email protected] wrote: >>>>>>>>>>>> What benefit does this have over simply >>>>>>>>>>>> ysing qubes-split-gpg-client-wrapper, like >>>>>>>>>>>> done here: >>>>>>>>>>>> https://github.com/kulinacs/pass-qubes It >>>>>>>>>>>> seems like a lot of overhead for not a lot of >>>>>>>>>>>> gain. >>>>>>>>>>>> >>>>>>>>>>>> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador >>>>>>>>>>>> (Rudd-O)" <[email protected]> wrote: >>>>>>>>>>>>> Building on the excellent pass >>>>>>>>>>>>> (https://passwordstore.org), it gives me >>>>>>>>>>>>> great pleasure to announce the initial >>>>>>>>>>>>> release of qubes-pass — an inter-VM >>>>>>>>>>>>> password manager and store for Qubes OS. >>>>>>>>>>>>> >>>>>>>>>>>>> Check it out here! >>>>>>>>>>>>> >>>>>>>>>>>>> https://github.com/Rudd-O/qubes-pass >>>>>>>>>>>>> >>>>>>>>> >>>>>>>>> What are the advantages of either of these over the >>>>>>>>> traditional Qubes model of having a normal password >>>>>>>>> manager in a vault VM and using the inter-VM >>>>>>>>> clipboard to copy/paste passwords out of it? >>>>>>>>> >>>>>>>>> >>>>>>>>> I prefer Pass because it uses GPG for encryption, >>>>>>>>> meaning I can manage fewer secrets over all (as it >>>>>>>>> backends into my normal GPG key) and then track my >>>>>>>>> password files in git. To do this with the >>>>>>>>> traditional Keepass method, you either need to >>>>>>>>> back up the password database somewhere secure or >>>>>>>>> remember another password for it. >>>>>>>>> >>>> >>>> Why not just back up the entire vault with qvm-backup? >>>> >>>>>> >>>>>> Git has less storage overhead (as you're backing up a >>>>>> bunch of text files, not an entire VM), allows proper >>>>>> versioning, so it is trivial to see your passwords at a >>>>>> point in time, and can be used cross platform if you >>>>>> chose to keep your GPG key on another system. >>>>> >>>>> I just back up the database file. its encrypted. >>>> >>>> I don't think backing up the whole vault is a good idea if >>>> you don't have to. >>>> > > Why? No need to encrypt the database file if the whole VM is > encrypted. Also, if your database file doesn't use authenticated > encryption, that's another thing to worry about. You may also worry > about file-level metadata leakage. > > > the database file is automatically encrypted. I just feel like > vault more likely compromised then the file if something is. but > I could be wrong. plus way less space. >
I don't see any basis for that reasoning. The files in an AppVM are only as safe as the AppVM itself, unless the VM is used only for storage or something. If the vault VM is compromised, then the encrypted database file in the vault is only safe as long as it remains encrypted. An attacker who can compromise your vault can set a trigger that waits for you to decrypt the database the next time you want to use it, then grab the passphrase, decryption key, or the whole decrypted database. > I think when we have paranoid mode it will be better. > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZF2N9AAoJENtN07w5UDAw8goP/itJWd/QiGchOPYmavzXB+AS HKycQy2y4lvqHjl1cltPXP0unThvoK8BSgCWdm2wRbj7T/Lc5EG7mtCScXyZP6uc ouFTMPjyjYECmINWaU/rNEOJRy5XR6q3AcVeObBRZxdst59g9GNtCXAgu47U7WjJ 8u+9wqEO1PD7Oo+ZlFZ971JMsYluU7uxHwqDYqFabPc+FvkD5hEIBM3tfXvmbJuo qlhpQpVyudYcgCs8Xtt6e1P1GcSc0pXT03nd7mw8QeMsZq3Ua6x8tOEtAnl93pba LXWoHEmLGg5BbYbkbXMeZYYTyM+e5f4MN78DkolaqzwD73IVITg+8ctJD+rNSgIB dJhNeAVtsddyQ+7+3IHxsOSgVvnBANoC2e7iBLkVxd0zqKnT6hdbSNQPfrftIQzV uATOBVgCy16/xjgOeqPENAbT9ElZfgIyEhN3HPQsOPhM0ASSdSgx+fHNH9RY/dZ7 aoWbILGJRL52J1R4koumXvbaWSHLo2HAIv1xljstedltDt4jyjDQtRfJ2Zbf7jK1 hGXZcsUtyZHyZklHyYb8ZiQa6gbGj3KBHQaz91TznTdgIV/G42iL+GFb1jej8TIS 2mBALx5WL82jo5Nmb/4GJ/5nb3ShBAeOm9YkfctQX0fXd3lweZ7h9i79rAocIrZ9 o87ju6uck1ri3q3q01Pt =oKxB -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef317c14-5796-bba4-19b1-a123abe9d2a1%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
