Open andrew-lis opened 2 years ago
At this point this is starting to resemble a lot the defunct's KeeCloud workflow, which was a lot more secure: 1- Open Keepass Database 2- Credentials for the cloud service are inside the database 3- Sync with cloud database using File -> Synchronize -> Synchronize with URL
It would feel like a better time investment to support this scenario than to implement a parallel encryption system which will inevitably be less mature and less secure than Keepass itself.
It would feel like a better time investment to support this scenario than to implement a parallel encryption system which will inevitably be less mature and less secure than Keepass itself.
You may be right, but the users should be notified when the flow I'd described is used.
Actually, the json Secret field is encrypted. It just might not look like it. Here's where the encryption actually happens; it uses an OS-provided encryption/decryption API, meaning the decryption key for the secret is not stored in accounts.json, keepass.xml, or the plugin.
Background: Right now the file "KeeAnywhere.Accounts.json" is not protected at all (Windows Control Access is easy to overcome), yet it contains sensitive, unencrypted tokens that allows anyone to access all files on the Remote Drive (Google Drive, Dropbox, etc).
Proposal: