HMAC mismatch, possible bitlocker/disk encryption issue - correct password not working

[MaximilianKohler]

Overview

I'm seeing a ton of people reporting this so I am sure it's bug. I'm really disappointed to see that in most of the issues I clicked through there wasn't even an attempt to debug the issue. Fortunately, I may have narrowed down the issue to bitlocker encryption or general drive/file encryption.

I use keepassxc at home. It's installed on a bitlocker drive. I backed it up to a USB thumb drive and when opening the database from that USB drive I get the error. I saw your responses sometimes asked if they were using a USB thumbdrive, and then in one issue you said it's a thumbdrive corruption issue. Thankfully, I have a copy of the database in the cloud so I downloaded it and I get the same error, so it's not a USB drive issue.

The other primary suspect is therefore bitlocker encryption. I searched the issues for info on this and didn't find any.

I can try to help you debug this but I don't currently have access to my desktop computer.

Steps to Reproduce

1. Keep db on a bitlocker-protected drive
2. Copy the db to another computer or thumbdrive
3. HMAC error, invalid credentials

Context

I use a password manager to login, so it's not possible that my password is wrong.

KeePassXC - Version 2.7.9 Revision: 8f6dd13

Qt 5.15.11 Debugging mode is disabled.

Operating system: Windows 10 Version 2009 CPU architecture: x86_64 Kernel: winnt 10.0.19045

Enabled extensions:

• Auto-Type
• Browser Integration
• Passkeys
• SSH Agent
• KeeShare
• YubiKey
• Quick Unlock

Cryptographic libraries:

• Botan 3.1.1

[droidmonkey]

I use a password manager to login, so it's not possible that my password is wrong.

Please do explain. This is the cause of all of these issues, wrong credentials.

copy of the database in the cloud so I downloaded it and I get the same error

Definitely wrong credentials.

I have used bitlocker for over 10 years without issue, and so do millions of people. 100% certain that has nothing to do with your issue.

There is no way to "debug" these issues because it is impossible to tell if you have the wrong password / key file or if there is actual file corruption. If you have actual file corruption, it is much more likely to have a different error such as header size mismatch, invalid database file, or similar.

[MaximilianKohler]

Please do explain. This is the cause of all of these issues, wrong credentials.

I'm using keepassxc only for TOTP. The password for my keepassxc databases is stored in another password manager. It has not changed. When I get back to my desktop I'm going to be able to login to the same databases with the same password. For some reason, moving the databases to another computer/drive has messed something up, and it's not because the USB flash drive is corrupted or has corrupted the database files.

[droidmonkey]

The only other explanation is faulty RAM

[MaximilianKohler]

Yet nothing else has gone wrong -- there's no sign of any problem with my RAM. Yet there are a dozen or more people reporting this HMAC mismatch issue with keepassxc. I've had zero such issues with Keepass (non-xc) for many years.

Are there no troubleshooting steps you can think of that might help me narrow down the problem? I use FreeFileSync to sync/move the files, if that matters.

[droidmonkey]

Dozens of people out of (est) 2 Million users. Of those dozens, 80% finally admitted to having the wrong password, 10% bad RAM, 10% ghosted.

You can easily troubleshoot on your end. Use the same database on a different device. If it unlocks then it's your device. If it doesn't, then most likely it's bad password.

there's no sign of any problem with my RAM

There is no real way to tell without running a formal memtest. The way Argon2 works, more RAM is used than normal and requires absolute precision. If you set your decryption time very high then that would increase the chances of problems with faulty RAM.

[MaximilianKohler]

On my laptop:

• I ran Windows Memory Diagnostic, and memtest. No errors.
• I downloaded the whole Keepassxc folder from a cloud backup, thus bypassing the USB thumb drive completely for both the application and db. Same error.

On a 3rd PC:

• I tried the Keepassxc on the USB, and I tried downloading the db from a cloud backup. Same error.

You mentioned a "decryption time" setting. I looked through the settings and didn't see anything like that, so I guess it's something you select when creating a db and thus there's nothing I can change now.

So from what I can tell, you are concluding this is a bad password issue, so I'll have to wait till I get home and confirm the same password, which hasn't been changed, still works on the db on my home PC. Hopefully there will be further troubleshooting if that's the case.