HMAC mismatch error... ...Again...

[Hyperwave16]

Overview

This morning I opened up my computer to KeePassXC not letting me sign on. I was sure I used the correct password, because I copied the password from iCloud Notes, just as I did every other time (except other times I was manually copying from my iPhone).

I only recently have been using KeePass, around the 7th this year, and I have already experienced this problem before, on my first database. After remaking my database on the 8th, I decided to move every password I have, all the ones saved to my Google account, and all the ones saved to my Apple account. Around midnight, I had finished, and decided to shut the computer off and go to rest (putting my computer to sleep, as always).

The next morning (today), I now no longer have access to my database file, with my passwords, emails, accounts, etc. inside of it. I am completely screwed over until I regain access to these files, as I used the handy KeePass Password generator included in the app, and set it to completely scramble 50 characters of digits, letters, symbols, all expect extended ASCII. I had to create a new Github account to even post this issue.

I have noticed several other people have experienced this issue, and it seems it's still not fixed. I do not store my database on Google Drive, iCloud, OneDrive, or anything like that, it's all on my Hard Drive. I have not done anything different from last time I have used KeePass. I have not reinstalled KeePass, restarted my computer, or updated KeePass since this has happened.

Steps to Reproduce

1. Open KeePassXC.exe
2. Open my password database
3. Login with correct credentials + Key File
4. Receive HMAC mismatch error

   Expected Behavior

   I expected to open KeePassXC without any problems and get access to my database.

   Actual Behavior

   In actuality, I got spat at me Error while reading the database: Invalid credentials were provided, please try again. If this reoccurs, then your database file may be corrupt. (HMAC mismatch), and every time I tried to make sure it was absolutely correct, I got the same message given to me.

   Context

   I have an SSD that my computer runs KeePassXC on, and the database and key files are on my HDD. I have a total of 2 SSDs and 1 HDD connected. I am using all the default settings in KeePass, apart from the decrypt time and memory. I also have 16GB of RAM, and I am certain that it has not corrupted overnight/while saving.

KeePassXC - Version 2.6.6 Revision: 9c108b9

Operating system: Windows 10 Version 2009 CPU architecture: x86_64 Kernel: winnt 10.0.19043

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey

Cryptographic libraries:

• libgcrypt 1.9.2-unknown

[Hyperwave16]

I just recreated the issue, with creating a new database, and adding a password, and a key file. I closed the application and re-signed in to the database. It worked without flaw.

I genuinely have no idea how this works, I'm going to restart my computer, reinstall KeePass, and check my HDD and SSD for data corruption. I expect nothing to change.

[droidmonkey]

Your ram is bad. Do a ram test.

Or, your key file is being modified after you first create it.

Curious, what decrypt time and memory setting are you using? The higher those are the more likely you'll trigger the bad sectors of your RAM (if it is bad).

[Hyperwave16]

Your ram is bad. Do a ram test.

Or, your key file is being modified after you first create it.

Curious, what decrypt time and memory setting are you using? The higher those are the more likely you'll trigger the bad sectors of your RAM (if it is bad).

I think I was using ~1-2 second decrypt time, and default memory settings. My RAM is brand new, same as most components of my pc. My key file is just fine as far as I know.

[droidmonkey]

https://github.com/keepassxreboot/keepassxc/issues/7249

This ended up being ram configuration settings in bios.

The program doesn't corrupt databases like you describe, we would be in a world of hurt if it did. For example, I've had the same database for 6 years and have never corrupted it even though I run develop builds constantly. The most likely problem is with some component of your computer.

[Hyperwave16]

If it were with a problem with my computer, how come no other applications has had any problems with anything up until now? I use this device very frequently, and I have had no problems like it. I've had 2 databases for three days with brand new RAM and they are now unusable. I currently do not have access to Gmail or the like. I will try out your bios settings and come back when I am finished. Thanks in advance.

[droidmonkey]

@Hyperwave16 can you recreate the problem if you do not use a keyfile? That is adding an additional variable to this problem set that could be the cause of the problem itself. If the key file is modified or you use the wrong key file that will cause this error.

[JohnLGalt]

@Hyperwave16 can you recreate the problem if you do not use a keyfile? That is adding an additional variable to this problem set that could be the cause of the problem itself. If the key file is modified or you use the wrong key file that will cause this error.

Out of curiosity - could file system / individual file encryption cause issues with a locally stored keyfile?

And could this also be a factor? https://github.com/keepassxreboot/keepassxc/issues/6040

[droidmonkey]

No, that is a macos problem

[Hyperwave16]

@Hyperwave16 can you recreate the problem if you do not use a keyfile? That is adding an additional variable to this problem set that could be the cause of the problem itself. If the key file is modified or you use the wrong key file that will cause this error.

Working on it. My temporary debugging database that I made yesterday opened up this morning just fine, with a key file and copied password. Very strange indeed...

Could the problem have to do with the fact that I wasn't closing down KeePassXC before putting my computer to sleep? Or something similar? Because this time I turned off the KeePassXC application and put my computer to sleep a few hours later.

[droidmonkey]

I keep keepassxc running for weeks with sleep and hibernation happening all the time. Would be easy to test your theory though, just put your computer to sleep and wake again.

Your results so far are consistent with RAM problems. Intermittent ability to unlock the database is a prime indicator.

[Hyperwave16]

I might just buy some new RAM, maybe a new motherboard too. I really need these passwords...

[droidmonkey]

You could try using KeePass2 (keepass.info) or an android or iPhone app.

[naphelge]

I just experienced a near identical issue. I've used some variation of KeePass for 10+ years and never had any issue with a db, including some I've had for 5+ years. I did just create this db recently, but the password I used is one with which I am thoroughly familiar and have used to open this db almost daily for the past 3 or 4 weeks.

droidmonkey, when you said:

Curious, what decrypt time and memory setting are you using? The higher those are the more likely you'll trigger the bad sectors of your RAM (if it is bad).

do you mean disk sectors, because isn't RAM dynamic/volitile or whatever, such that nothing is permanently stored?

I did try restarting my computer (xubuntu) of course, which should have flushed the RAM (no?), but still no change.

I'll try to open this with my laptop at work on Monday and report back if I have any success.

[droidmonkey]

The only place unencrypted data exists is in ram, ever. So if your ram is bad then both decryption and encryption can result in corruption.

[naphelge]

The only place unencrypted data exists is in ram, ever. So if your ram is bad then both decryption and encryption can result in corruption.

Ok well that makes sense, I guess. I did just try to open the db on my Android using KeePassDX, which I use for a couple of db's for work, and it still wouldn't open with my password. So I guess the db is foobar'd.

So just to be clear, it would just be this single instance of the db that is corrupt, so that if I had a backup somewhere, which I don't for this particular db, I could scp and open it (assuming the backup wasn't corrupted, but no reason to believe it should be if the corruption occurs within RAM when opening/closing the db)?

[droidmonkey]

Correct, if you had a backup you should be able to open it. Each file is independent of each other.

[diviatrix]

3 different pc and mac m2 (weekly old), all of them cant open database second time with correct password. This make me think app isn't working as intended :P. Lost my data right after saving all the times.

[syntcom]

I have exactly the same problem. I have a kdbx file protected with a password. Yesterday I was able to use the file on two different computers. Today both files on both computers do not work any more. I tried different backups back to one week ( I have daily incremental backups) none of them work any more. Installed keepass on android. Same thing. I know it is the correct password, because I have written it down somewhere else. Uninstalled keepass, restarted pc... nothing works. Tried to turn the clock back in windows to yesterday, since this is the only thing that has changed I think. Did not work. Very strange and not very confidence inspiring. Wanted to bring all my passwords that I use for clients to keepass soon. Lucky I did not. Does anyone have any ideas?

[theDispare]

I have the same problem. 1 Week ago i created a password proteced db and worked with it the next days. Even wrote down the master password on paper. And suddenly today i could not open the file on multiple devices.

[phoerious]

For everyone complaining about HMAC errors: It is extremely unlikely that you have hit a bug in our code (if you have, please provide proof and open a dedicated issue). The code path is well tested and has not changed at all in at least a year or two.

Most likely, your actual problem is one of these:

• invalid credentials, i.e., wrong password, wrong database file (yes, happens!), capslock enabled, wrong keyboard layout, key file selected when you don't have one, etc. (check everything, make password visible, try again)
• corrupted or truncated file (try a backup, check whether the file size is appropriate for the size of your database, don't use USB thumb drives, don't use unreliable network drives)
• faulty RAM (run a memory check, replace broken DIMMs, then try again with a backup)

In any case, keep backups at all times and test periodically whether these backups actually work. Having a file history (Windows file history or any cloud drive provider) is generally helpful.