PKCS#11/Smartcard support for supporting team sharing of databases

[jandd]

Summary

Allow sharing of databases by using a PKCS#7 container with the actual secret key encrypted for multiple X.509 certificates.

Context

We have teams that use Keepass2 with https://github.com/markbott/CertKeyProvider/tree/master/CertKeyProviderPlugin to allow sharing kdbx-Files without sharing an unencrypted key file or a password.

The CertKeyProviderPlugin uses an encrypted key file (PKCS#7 structure) and encrypts a secret key for a list of certificates (the plugin uses the Windows Crypto API to find the certificates/private keys). I have Python code to create such a structure if this would be helpful.

We use this mechanism to allow users to use a SmartCard to unlock their team's Keepass databases. The key file is decrypted when the user has a matching private key for one of the public keys (identified by issuer id and serial number of the corresponding Smartcard certificate) mentioned in the encrypted key file. The user enters the Smartcard pin and Keepass2 opens the kdbx database.

A cross plattform implementation would be helpful (we have Windows and MacOS users and would like to support Linux users too). Maybe system key store mechanisms could be used to handle the certificate enumeration and private key operations.

I have seen #255 but think that this is a different use case.

[droidmonkey]

This is not likely to be implemented. That is a very very niche capability and rather complex to implement.

[jandd]

@droidmonkey thanks for your evaluation. I will try to create a wrapper script to accomplish the needed behavior for our use case instead.

[smesguich-orange]

Hello Very intrested in this feature !

[jandd]

I made our wrapper available at https://github.com/T-Systems-MMS/keepassxc-p11-wrapper

[louigi600]

I made our wrapper available at https://github.com/T-Systems-MMS/keepassxc-p11-wrapper I was looking for something like this ... just wondering if the wrapper will also allow to update the database ?

[jandd]

I made our wrapper available at https://github.com/T-Systems-MMS/keepassxc-p11-wrapper I was looking for something like this ... just wondering if the wrapper will also allow to update the database ?

Yes, it allows updates to the database. The wrapper just takes care of decrypting a key file (shared AES secret key) with a using private keys of the team members' SmartCards. Changes to the database are encrypted using the shared secret and can therefore be decrypted by everyone in possession of one of the private keys.

An issue that is not solved by the wrapper itself is re-encrypting the shared secret when team members change. We have an internal tool that fetches public keys from an LDAP directory for re-encryption and a written procedure for re-encryption. I had no time to extract the company independent parts of this tool into an Open Source project yet.

[louigi600]

I made our wrapper available at https://github.com/T-Systems-MMS/keepassxc-p11-wrapper I was looking for something like this ... just wondering if the wrapper will also allow to update the database ?

Yes, it allows updates to the database. The wrapper just takes care of decrypting a key file (shared AES secret key) with a using private keys of the team members' SmartCards. Changes to the database are encrypted using the shared secret and can therefore be decrypted by everyone in possession of one of the private keys.

An issue that is not solved by the wrapper itself is re-encrypting the shared secret when team members change. We have an internal tool that fetches public keys from an LDAP directory for re-encryption and a written procedure for re-encryption. I had no time to extract the company independent parts of this tool into an Open Source project yet.

And how about maintaining the p7mkey file ? ie add remove smartcards allowed to open the database. I guess that's what you mean when you mention the re-encrypting. For the moment I guess we will need someone to still have the windows keepass with the https://github.com/sbidy/KeePass-KeyManager plugin