Almost Ultimate Password Management Guide for a Safe Digital Life (part 2)

Photo by Markus Spiske on Unsplash

In a nutshell, you will find here an advanced password management guide for those who want to reach the next level in terms of digital life security.

This article is also available on my blog.

Part 2

Critical Passwords Management

As mentioned above, there is one category of information that needs to be taken care of and that does not relate directly to an online account or to any piece of hardware. Having intrinsic value, and assuming that the password manager is not foolproof, it needs additional protection.

This is typically the case with a cryptocurrency wallet recovery phrase, for example, because anyone with that information will be able to access your digital holdings. But there are other scenarios and one of them is a piece of data that we have already covered above ; the seeds of two-factor authentication applications such as the Google Authenticator. Indeed, if you store the master password of an online account in the manager, you cannot store the information related to two-factor authentication in the same way in the same place. Because if the manager were to be corrupted, these two pieces of information would be disclosed simultaneously.

We can thus imagine all kinds of more critical information that cannot be found as is in the password manager. And to find out what requires these extra precautions, it suffices to ask the question: “what would happen if someone could see the entire contents of my password manager? What could he do with it? “. The answer will then be obvious.

A first option to solve this problem, simple, but that I do not recommend, could be to embed a secondary KeePass archive inside the main container. The second would thus aim to store critical information in an independent digital safe with its own key, thus avoiding revealing anything in the event of an intrusion into the main container. But if it seems interesting, this approach has several flaws:

• If there is any backdoor in the password manager (the kind that the NSA is sometimes suspected of trying to introduce where it can), then this second encryption will exhibit exactly the same weakness and will not provide any additional protection.
• Accessing this second container is done exactly as with the main one: you have to open it to access all of its content. But as we have seen, it is not possible to guarantee that there is no malware lurking and waiting for this moment to strip you. And since we’re talking about much more sensitive data here, it would be very inappropriate to attempt to access it on your primary computer. In other words, this means that this second safe could only be handled on a computer secured with a solution like Tails. This makes its use much less easy and we will see that a slightly more practical solution exists.

PGP Encryption With Kleopatra

OpenPGP is a non-proprietary data encryption and authentication format based on public key cryptography. The latter differs radically from symmetric cryptography in terms of its handling. So, instead of using the same secret key to encrypt and decrypt data, two keys are needed here, one public and the other private. The public key can be known to everyone, because once it has been used to encrypt information, it is not sufficient to restore it. Decryption can only be done by the holder of the private key.

We can then advantageously use this property to protect sensitive data even before storing it in the password manager. First of all, by using a different encryption protocol, this protects us from any breach in the security of the manager itself. Then, we will be able to encrypt each new information individually and this operation can possibly be carried out on any computer; using the public key does not require any special precautions. The only truly critical operation comes down to the decryption of a piece of data using the private key, which must imperatively be carried out on a Tails session to be perfectly certain that it remains confidential.

Concretely, public key cryptography is used with the help of certificates containing, among other things, the famous pairs of public and private keys. Since the private key must be kept secret, it is not stored as is in the certificate. Instead, it is encrypted with symmetric encryption whose key, called a pass phrase, is chosen when creating the certificate. The certificate can then be used directly to encrypt any data, but the knowledge of the pass phrase is essential to further decrypt it.

The free software Kleopatra, available under Linux as on Windows, allows to create and manage such certificates, as well as to carry out the operations of encryption decryption. The first step is to create a certificate dedicated to the protection of sensitive data and that we save in the KeePass container. As explained above, a pass phrase has to be chosen for the protection of the private key. The easiest way is to use again the derivation mechanism we devised to generate the salt on the Yubikey. By applying it this time to the master key, we thus obtain a new code, easy to regenerate, which can be used as a pass phrase. Once the certificate has been created, it then remains to save it in the password manager to be sure not to lose it (without it, the encrypted data cannot be recovered).

All these different steps are illustrated in the red block on the drawing introduced above. Critical information can be seen passing into the PGP Encrypted block, the latter operating through a public and private key pair protected by a pass phrase generated from the master key. Once again, this mechanism provides strong passwords that can be easily recovered thanks the knowledge of a simpler root code.

Tails

As presented above, Tails allows you to run a reliable OS on any computer through a bootable USB key, used exclusively in read-only mode. This ensures that you always start a session in a trusted environment. Extremely well documented, usage of Tails shouldn’t be a problem for anyone, but it sure does require a bit of gymnastics and discipline. It is therefore best to reserve it only for the management of critical data which should not be accessed often.

For example, if you are managing your digital wallet recovery phrases on a computer, it is really a must that they never hit an untrusted PC in any way. The procedure to be scrupulously applied to save this kind of information is then as follows:

1. Copy your KeePass archive to a USB key;
2. Launch a Tails session on your PC;
3. Unlock the KeePass container on the USB key;
4. Extract the certificate dedicated to sensitive data and add it to Tails;
5. Record sensitive information in a text file or other;
6. Use Kleopatra to encrypt this file using the certificate;
7. Add the encrypted file to the KeePass container;

Then, before closing the Tails session and that the unencrypted sensitive information disappears, it is essential to verify that it is indeed possible to restore it using this same certificate and knowledge of the pass phrase.

Technically, adding such encrypted information to the password manager can also be done without going through a Tails session. The only thing that the latter provides is the assurance that the information to be protected cannot be stolen. It all depends a little on what we are talking about. Each case is unique and it is up to you to judge the incurred risk.

On the other hand, any decryption operation should only be performed in Tails, in order to be sure not to have the pass phrase stolen. Because if it gets disclosed, then all the data encrypted with the corresponding certificate gets compromised.

Backup Copies

Unlike many other password management solutions, KeePass software does not natively offer a mechanism to make backup copies of your data or to synchronize them across multiple devices. This functionality is, however, essential to be sure to never lose your passwords, even in the event of failure of your computer equipment.

Fortunately, and even if it is a little less practical, KeePass benefits from a wide range of optional plug-ins, some of which being dedicated to synchronization with the cloud. It is thus possible to synchronize its database with the usual file storage services such as Google Drive, One Drive, DropBox, etc.

The other option is to simply transfer your KeePass archive by hand to an online disk storage each time it is modified. But, whatever the chosen method, it is legitimate to ask the question of the security of such an approach: is it really acceptable to put your password database online and expose it to all dangers ?

The answer to this question is a big yes, and for several reasons. First of all, the container will not be directly exposed since it will be stored in some private space. And I’m sure that a place like Google Drive is better protected than your home PC can ever be. Then, even if a malicious person does manage to get their hands on your database, there is very little chance that they will be able to do anything with it. As long as a password container remains encrypted, it takes enormous computing power to break in. One small nuance, though, this is only true if you have chosen a strong password. Otherwise, I invite you to read this article to change your mind on the question. Finally, this password archive has been built in such a way that accessing the data it contains is not sufficient to directly access your various digital accounts ; because of the mechanisms we saw, like splitting a password in 2 pieces, or like the usage of double authentication or additional encryption. All of this put together makes it extremely unlikely that you could ever have anything stolen from you, at least numerically speaking.

Finally, it will be necessary to make a call on a friend to fully meet requirement 3, which states that all digital devices can be destroyed without consequence. If this does happen, you may no longer have access to the online file service where your password database is stored. It is possible to guard against this scenario by using any mailbox of an acquaintance to make a backup from time to time. Simply send a message with the KeePass container attached to and explain your recipient to not delete it. In addition, there is no need to spam your friends every time you make a change to your data, because the purpose of this email is simply to be able to access the online file service again.

Even if the security of an encrypted archive like the one created by KeePass is high, you might be reluctant to spread it widely and lose control over it. To be on the safe side, it is easy to encrypt the container before emailing it for backup. One option among others is to use Kleopatra which offers the possibility of performing symmetric encryption based on a password. The latter can be the pass phrase or another sequence derived from it. Then remove the extension of the file and give it a name that is not very explicit. No one else but you will be able to really know what it is about, and the contents of the file will be a simple block of random values revealing no clue.

Handover

If for some reason, it is necessary for someone to be able to access your password archive should the worst happen, you will need to store your root code, the secret derivation mechanism and clear instructions in a safe. Your legatee must also be one of the people to whom you sent the email containing a backup copy. From there, all you will have to do is figure out some way to give access to the safe to whoever you choose if the situation calls for it. The best way to get there is perhaps to go through a notary. In the meantime, your legatee will be unable to use the email you sent him and, on the other hand, someone who could break in the safe could not do anything with those instructions.

Conclusion

It is good to summarize ourselves after these long explanations. The various stages of this methodology are listed below and classified in different categories. Again, there are no unique ways to do this and everyone’s needs are different. So everything does not necessarily have to be kept and various steps can be adapted. The important thing is to consider all the worst scenarios and to prepare for them by having an appropriate response for each of them. To borrow a quote from Game of Thrones: “ What we don’t know is what usually gets us killed.”

Standard set up

1. Get a Yubikey and a USB stick on which you flash Tails.
2. Install the KeePass and Kleopatra software. On Tails they are provided straight away.
3. Choose a root code and determine a secret derivation mechanism. This information should be remembered or put in the safe.
4. Derive salt from the root code and from the derivation procedure. Program your Yubikey to generate it when you perform a long press.
5. Create a new KeePass archive whose master key is given by: root code + salt.
6. (Optionally), install a plug-in allowing the synchronization of the archive with an online file service.
7. (Optionally), engrave the root code and the derivation procedure, then place them in a safe. Don’t forget to provide some instructions for the person for whom this information is intended.

Advanced set up

1. Transfer your KeePass archive to a Tails session using a USB key.
2. Generate the pass phrase using the master key and the derivation procedure.
3. Use Kleopatra to create an encryption certificate. The private key must be protected by the pass phrase.
4. Open the KeePass archive and add this certificate to it.
5. Bring back the KeePass archive with the USB key.

Adding a Standard Password

1. Ask yourself the right questions to find out if this password will include salt for added protection. The Yubikey key will then be needed.
2. Ask yourself the right questions to know if this password will be random and impossible to remember without the manager, or if you will be using a mnemonic to be able to use it frequently.
3. Add the password to your archive. If the password is random, let KeePass generate it for you.
4. If this is an online account, enable two-factor authentication. The ideal is the Yubikey, Google Authenticator (or similar) duo. The first one for normal use, the second one in case of loss of the key. The Google Authenticator seed must also be saved in the KeePass archive and be treated as a critical password.
5. (Optionally) if the Yubikey is enabled for two-factor authentication, remove this account from the Google Authenticator application.

Adding a Critical Password

1. (Optionally), transfer your KeePass archive to a Tails session using a USB key.
2. Open the archive and extract the encryption certificate to make it usable by Kleopatra.
3. Use Kleopatra to encrypt the information with the certificate.
4. (Optionally) and on Tails only, perform a test to verify that you can decipher the information using the pass phrase.
5. Add the encrypted information to your archive.
6. (Optionally), retrieve the KeePass archive with the USB key.

The decision whether or not to switch to Tails for adding such a password really depends on what is at stake. Many situations can afford to do without it.

Extracting a Critical Password

1. Transfer your KeePass archive to a Tails session using a USB key.
2. Open the archive and extract the encryption certificate to make it usable by Kleopatra.
3. Extract the information to be decrypted from the archive.
4. Generate the pass phrase using the master key and the derivation procedure.
5. Decipher the information with Kleopatra and the pass phrase.

Restoration in the event of loss of some equipment

• If you no longer have access to your KeePass archive, ask your acquaintances to resend your recovery email. Decrypt the attachment, open the archive it contains, and get access back to your online file service where the last fresh version of the archive is stored.
• If you have lost your phone and the double authentication it contained, recover them by extracting the seeds saved in the KeePass archive. This will enable to restore the two-factor authentication to the new phone.
• If you have lost your Yubikey, you will need to delete it from each account that uses it as a means of two-factor authentication. To do this, make sure you have your fallback authentication available on your Google Authenticator. Then connect to each of the impacted accounts to remove the access using the lost Yubikey, and replace it thanks to a new key. For added security, you may also need to change the salt used in the master key and in any other password using this technique. Concretely, this involves changing the root code and recreating new passwords using the derivation procedure. It all depends on the circumstances of the loss of the key and the risk that someone can try to use it against you.