What happened to the simpler QuickUnlock 1.0?

[gbakeman]

I recall in QU 1.0, all you had to do was install the plugin, chose how many/what characters of your master key would quick unlock your database, then you were all set to go. I just updated to 2.0, and it seems like it's gotten way more complicated. Now we have to create a new entry in the database, and set the password there? Is there any reason why we can't use the old method for QuickUnlock?

[KN4CK3R]

The first version didn't work with keyfiles or other key providers. With the new version you have more control over the used password (length, type, enable it only for specific databases, ...)

Maybe a future version will support both methods. At the moment you can safely use the first version and ignore the update warning. (Or compile the old source without the update url so KeePass can't check for new versions.)

[gbakeman]

Alright, I'll stick with the first version for now. If you want to tag this as a feature suggestion, I would really like to have the old functionality around, it's just so easy have a good old quick unlock. :)

[KN4CK3R]

I have implemented the 'PartOf' feature for the second version of the plugin. But there is a problem. I can grab the master password only one time (*), so QuickUnlock will only work one time. I "fixed" this problem in the first version by not deleting the password info. But in version 2 the password info will get removed after a specific amount of time or if no password could be found (*). You will need to set the time range to unlimited to make this work more than only one time and the plugin will need to stop removing cached keys if no new key could get generated. Thats problematic for normal users because they don't will understand these problems and why the plugin acts different then.

*: KeePass stores all provided keys (password, keyfile, windows account, ...) to a ComposedKey. The masterkey will get computed like this: hash('data of key1' + 'data of key2' + ...) If you first close the database the MasterKey (= is the ComposedKey) will contain all the provided keys. If you unlock the database with QuickUnlock, KeePass expects the keydata from the plugin. At this point I provide the concatenation of 'data of key1' + 'data of key2' + ... KeePass will unlock the database and everything is fine. At this point the MasterKey contains only one key which is of the type PluginKey and which contains the keydata from the plugin (= the combined data of all keys => There is no information where this data originaly comes from (password, keyfile, ...)). If you close the database again the plugin tests if the ComposedKey contains a simple password type to derive the QuickUnlock key from. Now the plugin will see only one key which is not a password but a PluginKey and it can't get the password from it.

[gbakeman]

I think that makes sense from a security standpoint to have a sort of expiration where quickunlock will no longer function and you need to re-enter the master password. Thanks!

[KN4CK3R]

The PartOf mode is available again in v2.1 https://github.com/KN4CK3R/KeePassQuickUnlock/releases/tag/v2.1

[mcassaniti]

Just reading through this issue, it seems to indicate that setting the timeout to unlimited will result in the composite key being cached indefinitely. In that case I would expect after the first time you enter your key information, the composite key will be available all the time. Did I misunderstand?

[KN4CK3R]

Indefinitly until the point when you use it. The lifetime of the QuickUnlock key starts when you close the database. If you have set 1 hour, the key will be removed after an hour and you will need to provide your full password again. If you set it to unlimited the key will be available until you try to login the next time. After the login (successfull or fail) the QuickUnlock key gets removed.

[mcassaniti]

Thank you for the quick reply. Is it possible to check for success and keep the key? I ask this more from a change the code perspective than a is it supported perspective.

[KN4CK3R]

Comment out this part: https://github.com/KN4CK3R/KeePassQuickUnlock/blob/master/KeePassQuickUnlockExt.cs#L158 and it may work. But there was a reason I added this code, can't remember atm. ;) If you want to have QuickUnlock working all the time, just stay with the QuickUnlock entry. You can manually enter the part of the password and it will feel like the PartOf mode.

Edit: The reason was simple. You have an QuickUnlock entry and reopen the database with it. You remove the entry and expect that QuickUnlock will stop working. But it doesn't stop because the cache doesn't get cleared.

[mcassaniti]

I understand the reasoning behind the cache invalidation now, but would it not be better to not invalidate and have it documented that you need to re-open your DB if you change the QuickUnlock value? No is a perfectly fine answer.

[Alex-0293]

Keepass v 2.36, doesnt start with plugin 2.x please, correct.

[KN4CK3R]

Please do not abuse other issues. KeePassQuickUnlock 2.2.0 works fine with KeePass 2.36. I'm using it every day. You could clear the plugin cache and try again. Maybe it helps if you update your installed .NET version.

[digreesun]

After using KeePassQuickUnlock 2.3.0, and reopening KeePass 2.37, it is necessary to re-specify the KeyFilePath, because it is replaced with QuickUnlock, which is not very convenient. Is it possible to correct this?