Unlocking KeePass with a SmartCard2019-02-24
KeePass is great. I use it a lot.
I'm a bit paranoid, so my master passphrase tends to be (very) long.
Now that I have a USB SmartCard, It would be convenient (and more secure) if I could use it to unlock my KeePass database, instead of typing my whole master password each time, for all kinds of key-loggers to record...
KeePass does not support using a certificate out of the box, but it can be done with plugins.
Unfortunately, none of the existing plugins do exactly what I want.
Some need the private key of the certificate to be exportable. (then why bother using a hardware secure element?)
Some use a signature as a secret. (I'm not a crypto expert, but signatures are not designed to do that. This is probably not a good practice...)
And most of all, all the solutions I reviewed are additive, which means that the certificate can only be used as a part of the composite master key used by KeePass to protect the database.
It's not possible to use either a passphrase, or a certificate to unlock the database.
So I created my own plugin...
Introducing: KeePass Certificate Shortcut Provider
This plugin allows you to open your database using either a master password OR an X.509 certificate.
The provider generates a .cspkey file (Certificate Shortcut Provider Key) containing the master password encrypted with the public part of an X.509 certificate.
When the provider is used, it decrypts the master password using the private part of the certificate, and returns it to KeePass.
This way, it's possible to easily open the database using only a certificate.
If required—on a KeePass version without plugins, like Android—the database can always be opened using only the master password.
Is it secure?
It should be.
If you use a certificate with a strong enough key (RSA with at least a 1024 bits key is recommended), the limiting factor should be the strength of your master password.
If you think otherwise, please contact me...
What kind of certificates can I use?
For now, only RSA certificates are supported.
What does it look like?
Where can I get it?
- The source code is here: github.com/mlaily/KeePass-CertificateShortcutProvider
- The latest compiled release is here: github.com/mlaily/KeePass-CertificateShortcutProvider/releases/latest
Any feedback is appreciated.