Debian User Forums

dear friends, hello dear experts in this community.


Where would you recommend me to store the Keepass-file? This questions keeps to be a very important question to me. Well - for most of the use-cases usually i have all my personal documents in my cloud account.

The pro: i can access it from everywhere in the world. With any device.

But besides that i am not so sure if this is safe. Especially if it comes to such things like keepass: Some friends mentioned that it is not so safe:

Question; would it be safe to use the cloud for the keepass-file? Can i secure it even further, by adding another (extra) layer of security by encrypting the file.

the generalized question is this: How safe is it to store the keepass-file in the (wrong place) like in the cloud? What risks do I need to know about?

What can I do with the KeePass password file, there are several arguments to decide where to store it.
if the passwords are really, really important to someone, one should make the decision based on:

- the risk of the file being hacked - what can we do if we consider to get hacked
- what if someone may compromise the file
- is it preferable that the DB file not get in the wild,
- there may be more and other risks - which one do you take into consideration"?

What should i do - what can be done with the passwd.

can I secure it even further, by adding another extra layer of security by encrypting the file i am going to store in cloud storage online.


look forward to hear from you

yours say

I use a strong master password on the file. I make the local permissions limited to my account -- no access to group or other accounts. I transfer the file, when needed, via a local server and I don't leave a copy on the local server. A USB drive would work as well, perhaps better, depending on your usage.

I don't keep the app or data on my phone.

I used to use LastPass but I dropped that not for security concerns but for business model concerns. I anticipated loss of free service at some future point.

Hey!, Ello

I used to keep mine in the cloud (there might still be a very old copy there?) I've certainly thought about this. I ended up figuring, really safest place for all this stuff, is your head, what most will say as well, but obviously that's not always possible (I keep my tax return information and some emulator memory cards in mine). Make sure you have a really strong super random password on it and add the weird ones in it, Like " ~`^}|] " and not just the most used ones "@#$!" . It can actually be quite fun to remember strong passwords. Start small and work your way up adding to it from pieces of your life. Example: If your gonna jump from a plane, remember your plane number and add it to your password. You'll also take more of that experience with you Never use that password on anything else. Ever. And never tell anyone ever.

There is also a way to use a password and a key file (that you can put on a usb) as an extra layer of security. So you'd have to have both to unlock the file.

Maybe you could have the cloud DB (Passworded & usb key locked). And a backup file in a usb stick, or a CD hidden at your house somewhere? Maybe stick a only passworded one on a usb stick, throw it in a small box with those dry packets wrapped up in plastic bags and bury it in your back yard

or? Find an old phone, download the keepass app on it, and put the file there and completely break the internet service on it. Then just carry it with you instead of putting it in the cloud. Hide the keepass app with hidden apps app. What are the odds of someone stealing your phone and actually finding it there and breaking into that type of encryption? And if you did lose it, you'd still have a back up buried in your backyard updated every couple of months with a new file. Maybe find an old computer and restore it, and never turn it back online...ever....then only add passwords or update the data base from that comp and view only from that phone. (Break the wifi on it meaning hardware break) Although sounds quite dumb, I don't see how a keylogger could snag you if you did it that way? That would be your biggest enemy.

can I secure it even further, by adding another extra layer of security by encrypting the file i am going to store in cloud storage online.

I'm not sure about this one. Could look into that further if you'd like. Although...? If you encrypted it in a zip file or something(which I don't think that's a good idea at all, probably easily broken into), and someone actually found it and broke through that file, it might make them more determined to get through the next layer? (First layer break:Man! There's probably some Top Secret stuff on here!) (breaks through 2nd) (Dang it! All that for nothing! Let's at least sabotage these accounts!)

Also, I don't think it's a good idea to ever have any web browser remember any of your passwords for you if your really that worried.

Oh and by the way, all things will eventually be revealed, soooo that gut feeling of someone eventually finding you out....we allll have it

Just some thoughts

say_hello wrote:can I secure it even further, by adding another extra layer of security by encrypting the file i am going to store in cloud storage online.

makes sense to encrypt it if you must store it online.

Code: Select all

gpg -c --passphrase-file unlock --pinentry-mode loopback yourfile

unlock will be the file which should have the passphrase to encrypt yourfile.

KeePass encrypts the data file on your machine. I've had mine stored on Dropbox for years, without issues. Use a strong password, and you don't need to worry about others having access to it. If they want to use a few years of supercomputing power to crack it, it's possible, but that's unlikely. KeePass and its derivatives - KeePassX (mostly unsupported now) and KeePassXC (the best choice IMO) do all encrypting and decrypting locally. The database is never exposed off the local machine in plaintext. It's the same security as GnuPG, but more convenient and user-friendly.

Castle_Age wrote:I ended up figuring, really safest place for all this stuff, is your head

Agreed; as for now, this is the safest way for storing the passwords. However, there is one problem with this approach: safe passwords should be complex and unique - to protect You against dictionary attacks and profiling. It can be hard to remember tens of unique passwords used for various purposes, but there's an easy way to achieve this:
Instead of remembering exact passwords, try to create and remember a *method* for generating your passwords, f.e.:
Your name is Django, Your dog's name is Bastard ( ), Your bank is a Bank of Canaries, so the resulting password could be:
BBaasntkaorfdCDajnnaarnigeos
To enter such password, You start with "BastardDjango" and then injecting the letters from the string "BankofCanaries", by skipping every second letter from the "base" password string using cursor keys.

The trick is, that You don't have to store the passwords (f.e. in the cloud) - all You need is to create some clever rule to generate the passwords from strings which are easy to remember for You, within particular context.

Such passwords are 100% invulnerable to dictionary attacks, and when the components are wisely chosen, such passwords are also invulnerable to profiling (i.e. don't use the true name of Your dog )

Reusing passwords is a security risk. There is no possibility of my remembering hundreds of passwords for websites, credit card info, notes, and whatnot. I've been using a password safe for a very long time, since the days of the Palm Pilot. A carefully chosen password safe is, IMO, essential these days.

most secure

That password is too easy to guess. Much better to reverse it. Nobody would ever guess 654321. For passwords I need to remember, I tend to use words or phrases transliterated from another language, which uses a non-Roman alphabet. The transliteration can be creative if desired. Easy for me to remember, but difficult for a snooper to crack through a dictionary attack. It does require knowing at least a little of another language, though.

sgosnell wrote:Nobody would ever guess 654321.

so true this should be the new FIPS security standard.

sgosnell wrote:Reusing passwords is a security risk. There is no possibility of my remembering hundreds of passwords for websites, credit card info, notes, and whatnot. I've been using a password safe for a very long time, since the days of the Palm Pilot. A carefully chosen password safe is, IMO, essential these days.

I use same passwords for everything.. I learnt around 8 or 10 differentes passwords and always use the same ones... for not important accounts I use one of mines such as 12345 but with some letters.. for others accouts more important , I use one o two more complex with some weird characters intercaled like dots.. and for account banks or sensible main cloud accouts I use two or three long passwords I memorized it... and for others ones i dont need to memorized I use bitwarden password manager... even within bitwaden i try not give much information about the account , the nickname and the password.

I had your same dilemma with the keypasses files... in order to store them in the cloud.. , and the answer is in my opinion to use commun sense and stenography security... you can divide/cut your keepass-file in three files just like this.:

cat image1.png MyDecodeKeepassPassword.txt image2.txt > Keepassfile

this way you just store two different image files in cloud ( image1.png and image2.png) and keep in your mind a basic password... (MyDecodeKeepassPassword.txt) , this is perfect secure and very easy to do.. cos, they wont ever know your basic password (as MyDecodeKeepassPassword.txt), and they wont ever know which algortim do you use to compose your keepass.file... So , as you see, it was easier than what you thought

Its important to hace redundant backup clouds of your security keepass-file, cos if you delete them accindetally in the cloud or you lost the cloud account