Vault encryption: what is the best "recipe" to stay safe?

[serrq]

Following my current recipe. I'd like to stay future proof if possible. What can I improve?

• Encryption algorithm

Rijndael (AES)

• Key derivation function

(AES)

• Transformation rounds

500000

• Memory usage

(Empty)

• Parallelism

(Empty)

[J-Jamet]

It's always a question of balancing security and usability. If you want the best security, put all the numbers to the maximum but you will not be able to open your database either because it will take way too long.

[shuvashish76]

According to OWASP (a nonprofit foundation that works to improve the security of software) Argon2id is best. Parameters recommendations as of May 2023 : https://en.wikipedia.org/wiki/Argon2#Recommended_minimum_parameters Original article : https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id

But both KeePass & KeePassXC recommends Argon2

The main advantage of Argon2 over AES-KDF is that it provides a better resistance against GPU/ASIC attacks (due to being a memory-hard function).

In the case of KeePass, we currently recommend Argon2d instead of Argon2id, because we believe that a better protection against a really existing threat (password cracking using GPUs/ASICs is state of the art) is more important than a protection against certain side-channel attacks that may or may not become a problem on client devices in the future. If you worry about side-channel attacks (and are willing to sacrifice some GPU/ASIC resistance) or if you are developing a software where side-channel attacks could be a problem (e.g. a server service that operates with KeePass database files), use Argon2id.

Side note: the IRTF CFRG Argon2 Internet standard recommends Argon2id by default. For server applications, Argon2id is in general indeed more suitable than Argon2d, but our situation (client device) is different, as mentioned above.

Source: https://keepass.info/help/base/security.html#secdictprotect

[serrq]

Thanks.

For database encryption what is the best?

• Rijndael (AES) • Twofish • ChaCha20

[shuvashish76]

According to KeePass

AES (Rijndael) became effective as a U.S. federal government standard and is approved by the National Security Agency (NSA) for top secret information. Twofish was one of the other four AES finalists. ChaCha20 is the successor of the Salsa20 algorithm (which is included in the eSTREAM portfolio).

Reference:

• https://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process
• https://web.archive.org/web/20231124173420/https://csrc.nist.rip/encryption/aes/round2/conf3/AES3FeedbackForm-summary.pdf

• Rijndael was not my first choice, but it was one of the three algorithms I thought suitable for the standard. The Twofish team performed extensive cryptanalysis of Rijndael, and will continue to do so. While it was not the most secure choice (NIST said as much in their report), I do not believe there is any risk in using Rijndael to encrypt data. While I have serious academic reservations about Rijndael, I do not have any engineering reservations about Rijndael. Nor do I have any reservations about NIST and their decision process. (source)

~ Bruce Schneier (one of the authors of the Twofish algorithm)

---

I don't have much info about ChaCha20 besides its a new algorithm & not widely used. I've read some comments here & there (e.g reddit) but they're not reliable source. I've no technical background to understand information mentioned about it in Wikipedia.

[serrq]

I temporarily set my database encryption on ChaCha20. I heard it has been used on some instant messengers e2ee.