From 0bcd6e881f04411a2c30ada9caa52cfb0dbeb545 Mon Sep 17 00:00:00 2001 From: Jonathan Rosenbaum Date: Fri, 5 Jan 2018 08:37:46 +0000 Subject: [PATCH] More clarity. --- examples/secure-terminals.txt | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/examples/secure-terminals.txt b/examples/secure-terminals.txt index 95e9b60..46d2c76 100644 --- a/examples/secure-terminals.txt +++ b/examples/secure-terminals.txt @@ -126,7 +126,10 @@ Chrome: Right-click on the "login" keyring Select "Change password" Enter your old password and leave the new password blank - Press ok + Press ok + You may want to remove Password and Keys from the menu, + E.g. see https://wiki.lxde.org/en/Main_Menu if using lxde: + - sudo mv seahorse.desktop /root; lxpanelctl restart 3. run keepass2; create new password database in ~/keepass @@ -137,15 +140,20 @@ Chrome: sudo chown -R root:root ~/keepass sudo chmod -R 0400 ~/keepass (change to 0600 if you want to change password, then back to 0400 when done) -4. SECURITY - The easiest ways to learn about which policies can be modified are simply to unclick them in - Tools -> Options -> Policy, and then look at the additions to in /usr/lib/keepass2/KeePass.config.xml - after exiting the program; security changes don't apply until restarting the program. These policies can be added between - in KeePass.config.enforced.xml. Independently of using KeePass.config.enforced.xml, the key database could be looked at, - however, the owner (root), 0400 permissions, and KeePass.config.enforced.xml prevent the database from being copied anywhere, - and the key file would be required as well to gain access. Secret tools only provides a low-level layer of security - with a master password passed by stdin, and is optional (and maybe a liability on a public computer). Keepass has auditing capability +4. SECURITY - The easiest ways to learn about the name of policies which can be disabled are simply + to unclick them in Tools -> Options -> Policy, and then look at the additions to in + /usr/lib/keepass2/KeePass.config.xml after exiting the program; security changes don't apply + until restarting the program. Caveat, make sure that the xml is properly formed. + These policies can be added between in KeePass.config.enforced.xml. Independently of + using KeePass.config.enforced.xml, the key database could be looked at, however, + the owner (root), 0400 permissions, and KeePass.config.enforced.xml prevent the database + from being copied anywhere, and the key file would be required as well to gain access. + + Secret tools only provides a low-level layer of security with a master password passed by stdin, + and is optional (and may be a liability on a public computer). Keepass has auditing capability via triggers, see https://keepass.info/help/kb/trigger_examples.html#audit, if your want to monitor events. - It should be noted that keepassxc does not provide the rich set of policies that keepass does, which rules out this newer program. + It should be noted that keepassxc does not provide the rich set of policies that keepass does, + which rules out this newer program. cd /usr/lib/keepass2; \ sudo touch KeePass.config.enforced.xml