1. Patrick Schaller
  2. KeePassTrueCryptMount
  3. Issues
Issue #19 new

Load attached key file from Keepass entry

Jan Mattfeld
created an issue

It would be nice to be able to select a TrueCrypt key file which is attached to the Keepass entry.

I secure my TrueCrypt containers with password and key file. The password is of course stored in a Keepass entry. The key file is attached to that entry. To open the container I have to extract and save the key file out of Keepass to select it in the mount options of your plugin.

This workflow is rather inconvenient and less secure. So a dropdown list to select an attached file as key file would be really appreciated.

Comments (5)

  1. Qaatloz

    I have already discussed my opinion on that in issue 8. I think adding the keyfile to the password database defeats the purpose of the keyfile. It is a keyfile because it is separate of your passwords, a file that should be in place on a specific location in your filesystem to open the volume. If a hacker is able to steal your volume and database and crack the latter, he still has to get some file out of your filesystem elsewhere. That is the reason i didn't implement the keyfile loading from database in my commit.

  2. Jan Mattfeld reporter

    I cannot imagine a situation where an attacker gets both, my TrueCrypt container and a cracked version of my database, without also gaining access to my key file.

    It is also possible to use any file as a key file and hide it this way. I don't like that. What you had in mind is perhaps the use of a key file on a token or smart card? That would be situations where an attacker has difficulties to gain acces to the key file and/or copy it.

    However I like to other advantages of key files:

    • They can be much more complex than a password. Hence are much more difficult to attack via brute-force.
    • They are immune to key loggers. (Although the auto-type obfuscation feature is nice)

    So it could be useful to combine password and key file inside a KeePass entry or even use a key file alone.

  3. Nicolai Fröhlich

    I'm totally in favor of this feature!

    It's up to the user to store the keyfiles inside or outside of the database ...

    ... but this would offer the opportunity to use a keyfile (that's kind of more secure than a password due to its greater entropy) and still manage truecrypt from keepass.

    Further it prevents keylogger attacks that might log keepass's password-pasting.

  4. Log in to comment