![]() Investigate Intel SGX (encrypted memory enclaves) only available for Windows and Linux (unofficial).Investigate Trusted Platform Module (TPM) to encrypt/decrypt sensitive memory.Use sandboxing on platforms where supported.We are currently exploring these methods to enhance memory security: We are looking into this possibility for the future. MacOS does have support for sandboxed applications, but KeePassXC currently does not take advantage of this. MacOS has similar protections to Linux: disabling the use of ptrace and core dumps. If you are concerned with memory attacks, we recommend using these distributions. The AppImage distribution can be further secured by running it in FireJail. The Snap and Flatpak distributions of KeePassXC run in their own sandbox (on Ubuntu) which significantly increases their memory security. Due to the significant variety in different Linux distributions, we encourage you to ensure their kernel is compiled and run with sufficient protections to process memory. This prevents anyone, except the root user, from accessing the memory of the process. KeePassXC prevents the use of ptrace and generation of core dumps. KeePassXC also cannot prevent data extraction from a hibernation file which stores your computer’s memory to disk when going to sleep. KeePassXC currently does not encrypt data in memory, but we do explicitly clear sensitive data from deleted data structures (so far as the operating system’s memory management allows). Process Hacker KeePassXC Process Hacker KeePass Our memory protections can be readily tested by using Process Hacker as shown in the following screenshots comparing KeePassXC to KeePass: (Note: it is not possible to prevent an administrator from accessing memory) We also disable “core dumps” which can expose secrets if the application crashes. If they had, the ISE attacks would have failed outright! We specifically disable reading the memory of KeePassXC. None of the other password managers featured in the ISE report have implemented this security. KeePassXC uses modern Windows memory security techniques available to all processes. Nonetheless, here are the techniques KeePassXC uses to protect your data: Windows Memory Protection Your best defense against this threat is to follow general digital hygiene, keeping your computer physically secure, and (maybe) having an up-to-date virus scanner. If your computer is compromised in this way, then there is very little a program can do to protect its data. Please Note: memory attacks are generally not possible unless an attacker has (physical) access to your machine or a malicious application is running. The following is a succinct breakdown of our security across the three platforms. ![]() This is a very complex topic with a lot of nuance. Each of these operating systems have different methods of handling memory that must be taken into account. We have worked very hard to be consistent across Windows, Linux, and MacOS platforms in terms of user experience and security. However, unlike KeePass, KeePassXC is a cross-platform application written in C++ using the Qt framework. Aside from non-sensitive header data (such as initialization information for the encryption algorithms), your entire database (usernames, passwords, notes, etc) is encrypted using industry standard methods. Similar to KeePass, we protect all data “at rest” (that is, when it is saved in the password database file *.kdbx). Although KeePassXC was not mentioned, we have thoroughly reviewed the report and address some questions it raises below. Some of you may have seen the recent vulnerability report from ISE that details various memory attacks against 1Password and KeePass, among others.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |