2

I think this should be the right SE, apologies otherwise

I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded incredibly inconvenient to use so I would like to get a confirmation of the simplest way to meet my use case - which I think is rather common.

Use case:

  1. I may not be a network or even IT engineer, but as a robotics engineer I am comfortable with pretty much any solution I have seen - it's just a matter of daily convenience
  2. I need to be able to store my personal administrative documents (including important ones) and various account credentials somewhere safe where I can be confident they will not be accessed nor damaged (within reason)
  3. I need to read/write my credentials from my personal computer (Windows), my mobile phone (Android), and my work laptop (usually Windows, sometimes Linux). It's okay if I can't access my documents on my mobile phone.
  4. I don't want a solution based on a cloud service, I'm really not comfortable depending on anyone for something as critical as this. I'm not a fan of a self-hosted server solution either but if that's what it takes I'm ok with it.

Edit: taking your advice into consideration, here is what I came up with. What do you think?

proposed archi

All terminals have the veracrypt container (for documents) and the keepass database (for credentials) 2-way synced using SyncThing (peer to peer). I can access the credentials and the documents using 2 factor auth, the master password (something I know) and the Yubikey (something I have). Both encrypted containers are 1-way-synced with file versioning ("staggered", i.e. with timestamp) to 2 NAS, each set up as RAID1 and in different locations. Incidentally, both NAS will receive non-critical backups. And since I'm not arrogant enough to consider myself more reliable than Google, each NAS will 1-way sync to my Google Drive in their own subfolder (I'm not sure it's safe to target the same folder). Once it's set up, I will plug my yubikey in the machine I want, open either encrypted container with the master password, and for credentials use the browser's Keepass plugin to auto-fill login & password for me. When I need to add an account, I generate a random one from Keepass.

The reason I didn't use Google Drive instead of SyncThing is that I don't rely on my devices being auto-connected to Google Drive to access my credentials, and if my devices get stolen I don't rely on a third party to provide me with a backup.

Oh, and I've covered added malware protection because that's obviously a prerequisite to Keepass and Veracrypt. Not too sure whether magikeyboard is not a vulnerability still here.

Improve this question
16
  • Why not store the VeraCrypt container, or similar, on a cloud service? How is a cloud service a problem in your use case?
    – schroeder
    Commented Jul 7 at 10:03
  • Sure, this is a common use use, but your requirements are not common. People use password managers and encrypted file containers in the cloud.
    – schroeder
    Commented Jul 7 at 10:06
  • As a robotics engineer, I'm sure you can see that you have mixed requirements that do not create a cohesive set. You have hardware requirements, networking requirements, but also application-level requirements that are completely independent from the other requirements. So, I think you need to decompose the question and your requirements far better.
    – schroeder
    Commented Jul 7 at 12:12
  • Thanks for the comments. I wrote these reqs at 2am so they're not a proper set - I'm not against using a cloud service to store something encrypted as long as it would take quantum computers to break it, and if it's backed up on hard drives in two of my places. Is there any other req in particular I should rework?
    – Mister Mystère
    Commented Jul 7 at 14:20
  • Your question appears to be critically around the infrastructure. Data flow, backup, accessibility. That's a cohesive set of requirements. Expecting the password manager to automatically update and autofill is a separate, application-level concern, and only applicable once the infrastructure is in place. So, I would dump those entirely. And I would update your reqs to include what you don't want from cloud, not that you won't accept cloud in any form. In fact, your comment suggests that it is well within your acceptable limits.
    – schroeder
    Commented Jul 7 at 15:12

1 Answer 1

Reset to default
6

If you consider carrying a USB stick around convenient, then a VeraCrypt container is a good starting point. You could additionally use hardware encryption, but I wouldn't rely on it alone. Open-source software tools like VeraCrypt can be and have been audited, whereas proprietary hardware encryption is largely a blackbox – we don't know how secure it really is. In the past, major vulnerabilities were found in, for example, hardware encryption of SSDs.

However, VeraCrypt only protects the data at rest. As soon as you open a file with a program, the data is loaded into RAM as plaintext. Even worse, it may also be written to disk as plaintext. For example, the program may create temporary files, or the operating system may swap RAM content to disk. This is particularly problematic in your case, because you have so many different client devices.

Therefore, encrypting only the USB stick isn't going to be enough. Ideally, you should use full-disk encryption on all client devices. Additionally, use tools which don't create random files and don't let the data be swapped to disk. For passwords, KeepassXC is a good choice. For documents, you should at least make sure that no temporary files are created outside of the VeraCrypt container.

Note that VeraCrypt uses the XTS mode for encryption, which means it does not provide any integrity protection. If you want to ensure that files cannot be manipulated, you need additional message authentication codes.

While you've explicitly ruled out a cloud solution, I don't think this is warranted. If you encrypt the data before uploading and only decrypt it after downloading, then you don't have to depend on the security of the cloud provider at all. You just use the cloud as “dumb storage”. If you're worried about leaking metadata, then a self-hosted Seafile or ownCloud/Nextcloud might be a good alternative.

Improve this answer
8
  • That's a greatly written answer, thanks. I knew keyloggers were going to be an issue but this clarifies others, too. So do you mean that in this case, a veracrypt container containing my documents + a KeepassXC database stored in the cloud (or my own NAS) would fit well? Doesn't that mean that I would have a lot of steps to get any of the passwords including two master passwords? On the other hand does this mean that if no temporary files are created outside of veracrypt, no data breach is possible while the containers are open?
    – Mister Mystère
    Commented Jul 7 at 14:27
  • @MisterMystère: You don’t have to put the KeePassXC database into the VeraCrypt container. Since it’s already encrypted, you can keep it outside and access it with just the passphrase (assuming that passphrase it sufficiently strong). Controlling temporary files only addresses the case that sensitive data is inadverently written to an unencrypted part of the disk. Attacks against the file content in RAM are still possible. For example, if a client device is compromised, this also puts all data you access on this device at risk. So keeping the client devices secure is a requirement in any case.
    – Ja1024
    Commented Jul 7 at 14:46
  • True, thanks. I meant if I rely on keepassxc to fill in the fields of a browser, that the browser is made to handle this safely (is Firefox doing this?), and if there is a proper ssh bridge to the remote server, does that at least take care of "my side of the problem"?
    – Mister Mystère
    Commented Jul 7 at 15:00
  • I'm also curious about what would be bulletproof, even if it's too inconvenient for my use case :)
    – Mister Mystère
    Commented Jul 7 at 15:01
  • @MisterMystère: There’s no perfect security, but a fairly secure approach would be to only access the documents on a separate offline PC with a read-only operating system and a non-extractable cryptographic key (e.g., on a smartcard).
    – Ja1024
    Commented Jul 7 at 16:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .