Skip to content

Security

Jump to bottom
Frederick Zhang edited this page Jun 19, 2020 · 10 revisions

Security concerns

After being associated with a database, keepassxc-protocol clients use a public key onwards to authenticate itself against KeePassXC. However most of the clients, including git-credential-keepassxc and many compatible browsers of keepassxc-browser, by default store the keys in plaintext.

Hence a malicious program can potentially extract the keys from the configuration file then send credential requests to KeePassXC. Although this is unlikely to happen and in which case the user has obviously got some more serious security issues to take care of in the first place, it could be particularly dangerous if a user has allowed any client to retrieve credentials without confirmation.

Mitigation

Note that some of the techniques mentioned here are Linux-specific.

Using a hardware token to encrypt the configuration file

  1. Configuration file encryption and strict-caller feature
  2. Do NOT configure your hardware token to perform challenge-response without taps
  3. Disabling dumpable/ptrace (only implemented for Linux at the time of writing, and by the way many distros nowadays enable Yama LSM by default)
  4. Kernel lockdown

First of all the public keys in the configuration file are encrypted so that any bad actor in your system cannot extract keys without a physical tap on your token. Secondly strict-caller makes sure that even if a bad actor just wipes out the caller profiles from the configuration file, it's still not allowed to call git-credential-keepassxc directly. Finally kernel lockdown/switching off dumpable to prevent other programs from reading git-credential-keepassxc's memory.

Software implementation

  1. Runtime integrity check of all the involved executables (is there a good way to do this under Linux?)
  2. MAC, preferably with pre-loaded rules from kernel image/initramfs, to prevent random programs from reading/writing the configuration file
  3. Kernel lockdown
  4. Configuration file encryption probably can still be some icing on the cake here, but at the time of writing there is no pure software encryption implemented in git-credential-keepassxc
Clone this wiki locally