Open mmcguill opened 5 years ago
cestum
commented
5 years ago @mmcguill This is a great idea. I created a cryptomator iOS Files extension here and was considering to write an app for myself (with keepass and cryptomator clients). Glad I stumble upon this, so sharing my work here.
sindastra
commented
2 years ago Hi there! 👋
I came here to ask for the same feature, but then I did some experimenting and I have good news: This already works (Mac & iPhone)!
Of course, on the Mac that's obvious: You run your sync app, you run Cryptomator, you point Strongbox to the file in the unlocked Cryptomator vault.
However, I did some testing, and you can do the same on iPhone now.
Cryptomator released "Cryptomator 2" for iOS, which is an entirely new app. What's special about it, is that it works with the iOS "Files" app.
So, what you can do, is set up Cryptomator 2 on iPhone, and change the vault settings "Unlock Duration" to "Indefinite", and then point Strongbox to it using the "Files" option in Strongbox.
However, a word of warning: The "Cryptomator 2" app is quite new still, I find it sometimes fails to sync or is delayed. Sometimes I have to manually lock and unlock the vault for it to work properly again (you might get "file/folder" not found errors, or something might simply not upload). Overall, I would not trust it in production with my KeePass/Strongbox database. (:
At least Strongbox seems to keep a local copy internally? So, I guess it might be possible to recover if sync fails?
I currently self-host my KeePass on my NAS, the share being encrypted, and accessing it through WebDAV. However, the OEM seems not to release updates frequently enough, and I don't feel comfortable running a seemingly outdated WebDAV server accessible from outside.
So, I thought of using some commercial cloud provider. However, I don't feel comfortable putting my KeePass/Strongbox database on there. I understand the database is encrypted, but if you take a look at the database, you'll find it starts with the bytes 03d9 a29a 67fb 4bb5. It is clearly visible that this is a KeePass database, even if you rename it to make it look like something else. I don't want some commercial cloud provider to know I have such a database with them. So, it's about hiding the fact it's even there.
Given that (at least for me), the point of using Cryptomator is to hide the fact the database even exists... Wouldn't it be possible for Strongbox to (maybe as a stopgap solution) obfuscate the database, to look like some random blob of data, or like some other file entirely? That way, at least for me, the need for Cryptomator would perish.
Another thing that comes to mind, would be to make it keep looking like a KeePass database, and you can unlock it with a password, but there's actually another hidden database inside the database, which gets unlocked with another password. Similarly to VeraCrypt's hidden volumes feature. https://www.veracrypt.fr/en/Hidden%20Volume.html
I opened an issue, suggesting some obfuscation feature: #597
strongbox-mark
commented
2 years ago Thanks for the update. Yes, Strongbox can/will keep a local cache of the database (for offline support) and backups (default is 10 most recent copies) for disaster recovery, so you're pretty safe.
I understand your use case, I'll try reply in #597
Some users would like better integration with Cryptomator. Tools like Cyberduck show this should be possible. Investigate the possibility and difficulty of an integration
https://github.com/cryptomator/cryptomator-objc-cryptor