I noticed that the default installation uses the same template for all of the qubes, personal, vault, untrusted, work, etc. This is in fact exactly what I did, back in the day. I’ll amplify and expand on this (I hope you don’t mind, whoami). Of course another person came along who wanted a rabbit-hole guide, so I am glad you were here to answer this. This is precisely the rabbithole I didn’t want to jump down with an (apparently) new user. Additionally, TemplateVMs will save you space should you ever wish to keep more than one AppVM with a keepass database file in it, so by default I will always choose to use TemplateVMs in Qubes OS. An AppVM’s private image is a much smaller backup, and having the ability to backup the TemplateVM and the AppVM separately is good flexibility that StandaloneVMs cannot provide. With that said, from the perspective of keeping regular Qubes backups small, I would recommend against using a StandaloneVM. However, KeepassXC was able and willing to open the database file, and, though I forget the particulars, after saving the file with KeepassXC, keepass2 was again able to open the database file and no data was lost as far as I could tell. Keeping Qubes backups of the qube containing your database file can give you something to revert back to, but if you have an old copy of a keepass database file, then the process of data recovery from it is manual and you won’t necessarily know off hand which entries have stale password information and which ones have current information!įurthermore, in the event of an actual database file corruption, the exact nature of the damage to the file matters as the file can possibly be recovered without having to risk data loss by rolling back to an outdated backup.Īn example that happened to me was that, while using Keepass2, Keepass2 had a fault of some sort and subsequently refused to open the database file, which was a problem because any rollback to an outdated backup would not bring back what I was losing. I had mentioned backups before, but it is also worth mentioning that there can be a risk of corrupting your keepass database file! You need to consider backup strategies very very carefully for a keepass database because a naive approach will lead to over confidence and a lack of awareness of how much actual risk you have! I would only ever use a key file for something I didn’t care about and which I considered adequately secured through “obscurity” rather than actual secrecy, but I am not an expert and could be very wrong. I would suggest you understand that even with disposable VMs, traces of your key file may remain from a forensics stand point, so I sincerely doubt the security of key files on general principle even if in practice they are unlikely to be compromised by such traces. Honestly I don’t bother with key files and cannot comment on what would be good practice for dealing with those though. These applications are also open source as well, so it is unlikely that they would vanish off the face of the earth, but backing up your TemplateVM is a good idea if you want to explore the model of what could go wrong with mismanagement of your secrets. However, you will find that different applications have introduced extensions and nonstandard behavior that is not interoperable, so it would be beneficial to make note of what application you actually used and make sure you can always have access to it as well. Keepass itself is actually an open standard if I understand correctly, so the database files have fairly good interoperability between applications. In the case of a keepass database file, you can achieve that by making note of what keepass application did you use to create the database file, what version string was it, and then also use Qube’s backup feature and include the TemplateVM with that keepass application in a backup, not necessarily your regular backup, that you can later access if you need to. I would also add that there is an important concern for any use of encrypted secrets that you should make sure your encrypted secrets can be used by you 10 or 20 years from now. In terms of securing your usage of Keepass2 or KeepassXC, I would recommend the most important step is creating a separate TemplateVM and only using your keepass app of choice from AppVMs derived from that TemplateVM.īy isolating your keepass app’s TemplateVM from your other TemplateVMs you run less risk of accidentally exposing your keepass database file to risk.Īs others mentioned, AppVMs you run any keepass-related application in do not need a network connection so remove that, and clipboard is sufficient for moving secrets out to other qubes for most usage.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |