guide or tips on how to properly use vault vm to store passwords?

[raah...@gmail.com]

Is there qubes guide or anyone have any tips on how they store and use passwords in the vault safely? I appreciate the advice.

[flux]

The way I use my vault VM:
1. Create a *non-networked* (firewllvm=none) virtual machine, call it vault for example.

2. Configure app shortcuts to add KeePassX. I also got rid of everything from the shortcuts aside from KeePassX and a terminal.

3. Boot the VM by clicking KeePassX in the app menu.

4. Use KeePassX normally (create a database, lock it with a password, add, remove, and edit your password entries), see their docs for more info.

In order to get a password out of the vault, here's my "log in to Facebook" workflow:
1. Highlight "Facebook" entry in KeePassX

2. Ctrl-c to copy it to the clipboard of the vault VM

3. Shift-ctrl-c to push the vault clipboard to dom0's buffer (not a clipboard, you can't suddenly paste in dom0 for good reasons)

4. Start a new dispVM

5. Go to Facebook.com in it, type in my email

6. Shift-ctrl-v to push the dom0 buffer down into the dispVM system clipboard

7. Paste password into login password box and hit enter

Best practice would then be to copy something else in the dispVM (regular Ctrl-c) so that hour password isn't lying around in your clipboard.

[raah...@gmail.com]

tks for your reply and the best practice tip! do you think its safe to do this with bank site password?

[raah...@gmail.com]

I mean do you think its safer to just type in the bank password, or would it be safer to use the keepassx vault method?

[flux]

The likelihood that a non-networked vault VM were owned to the point of an adversary stealing encrypted passwords (i.e. they have persistent root access) is much lower than that of a disposable VM being owned.

Thus the point of failure isn't likely ever going to be the vault, it'll be the browser in the dispVM. So, it's just as safe as typing it in.

However, one cross-site scripting vulnerability on the bank site and your password can be sniffed out of the login form regardless of HTTPS. Thus, in your browser, I'd suggest a few security addons to help mitigate risk:

HTTPS Everywhere
uBlock or Adblock Plus
Noscript if you're really paranoid

I personally avoid logging in to two services in the same VM for two reasons. One, security, if the VM were owned I'd like to mitigate damage, and two, to reduce the ability of servers or watchful third parties to correlate my account identities with one another.

[raah...@gmail.com]

well I was also thinking if somehow the password got keylogged from a bad website which is why i was thinking i should do the copy paste method instead of typing it every time.

you must have alot of vms. A good idea for me to maybe do that with my bank sites but I probably will just rely on noscript for blocking 3rd parties on other sites I log into. I also wipe out the whitelist after installing it as well. I do also use https everywhere. I've been afraid to use ublock origin on my bank sites though, especially after a week or two ago the mozilla site was putting out corrupted downloads for it. But I do indeed use it on less important vms.

How do you get your extensions to work in the dispvm and keep them updated?

[Max Zinkus]

I don't have many VMs, I just use new disposable VMs (dispVMs) for each site.

I installed the addons in the disposable VM template, and I keep them updated there. The default is fedora-23-dvm (it only shows up if you click show internal VMs in the VM manager).

See the qubes documentation on customizing your disposable VMs.

Noscript is good. However, if they can keylog you, then they can generally just as easily view the DOM of the web page and get your password that way. Pasting vs typing isn't much of a protection.

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/5KPXHpmTA7c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/292e6f52-012d-4e4c-ba91-7b6d12113dfe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[7v5w7go9ub0o]

On 03/18/2016 01:06 AM, raah...@gmail.com wrote:
> Is there qubes guide or anyone have any tips on how they store and use passwords in the vault safely? I appreciate the advice.
>

1. No network connections.
2. No processing within the vault - only copy info in or out using qubes
dom0 utilities or gui.

(this means that if you use, e.g. keepassx, and keep the database in
your vault, you must start a dispvm, copy the keepassx database up to
the dispvm; do your password work in the dispvm; copy the updated
keepassx database back to the vault if necessary; dissolve the dispvm.)

[flux]

Please don't copy the entire password database into a networked dispVM. There's no need, and you amplify the damage if the dispVM were rooted a hundredfold.

[7v5w7go9ub0o]

If this is in response to my earlier post, I sure agree!

The dispvm should NOT be networked.

(this means that if you use, e.g. keepassx, and keep the database in

your vault, you must start a dispvm, deactivate dispvm accessibility to
a network, copy the keepassx database up to the dispvm; do your password

[raah...@gmail.com]

I'm a little confused as to why I would need a dispvm to add passwords to the keepassx vault? I'm probably not understanding what you mean exactly.

As to the comment about javascript keyloggers vs dom xss attacks, it is possible that the former could be a problem without the latter. And my philosophy is always use all layers of protection no matter how trivial you think something is, especially if there is no "tradeoffs."

And I'm sorry for asking a dumb question, but how exactly do you keep the addons updated in the disposable vm template? Are you loading firefox in it and letting them update that way?

[7v5w7go9ub0o]

On 03/18/2016 08:11 PM, raah...@gmail.com wrote:
> On Friday, March 18, 2016 at 3:51:22 PM UTC-4, 7v5w7go9ub0o wrote:
>> On 03/18/2016 06:57 PM, flux wrote:
>>> Please don't copy the entire password database into a networked
>> > dispVM. There's no need, and you amplify the damage if the dispVM
>> > were rooted a hundredfold.
>> >
>>
>> If this is in response to my earlier post, I sure agree!
>>
>> The dispvm should NOT be networked.
>>
>> (this means that if you use, e.g. keepassx, and keep the database in
>> your vault, you must start a dispvm, deactivate dispvm accessibility to
>> a network, copy the keepassx database up to the dispvm; do your password
>> work in the dispvm; copy the updated keepassx database back to the vault
>> if necessary; dissolve the dispvm.)
> I'm a little confused as to why I would need a dispvm to add passwords to the keepassx vault?

Because you'd need to execute keepassx within the vault to access the
database, and the principle is that you do NOT execute any potentially
compromised programs, or access any potentially compromised data files
within the vault. ... and ANY program or data file can be compromised.

One compromised spreadsheet, or keepassx executable, or etc., accessed
or executed within the vault places all of its contents at risk.

> I'm probably not understanding what you mean exactly.
>
> As to the comment about javascript keyloggers vs dom xss attacks, it is possible that the former could be a problem without the latter. And my philosophy is always use all layers of protection no matter how trivial you think something is, especially if there is no "tradeoffs."

agreed

>
> And I'm sorry for asking a dumb question, but how exactly do you keep the addons updated in the disposable vm template? Are you loading firefox in it and letting them update that way?
>

I always run FF in a dispvm. (I run everything in its own, individual
dispvm)

- If there are no updates (e.g. bookmarks, extensions, etc.) I simply
flush the dispvm at end of session.
- If there are updated bookmarks, I copy the bookmarks component
(places.sqlite) back to the VM. (bookmarks are text, and not actively
vectors)
- If there are updated extensions I'll start a fresh FF dispvm; update
the extensions; copy the config file back to the vm drawer that contains
FF; shutdown the dispvm. I'll then start a new dispvm with a now-updated
set of extensions for new browsing.

(FWIW, the VM has various drawers, each containing its own configuration
file, such as firefox, chrome, thunderbird, keepassx, etc.)

I need to mention that I've been criticized for this approach - that it
is *not* the standard Qubes way of doing business.

At this point I think it is best if you get other opinions on how to
handle vaults, appvms (I have essentially one), dispvms, etc. (IMHO
their use should be thought out together).

Good Luck

[raah...@gmail.com]

might be considered excessively paranoid, but it makes sense to me. I don't see anything wrong with it. I guess updating the extensions would be something you would want to do only from a freshly loaded dispvm though. one can say well the extensions could compromise you, but then again so can template updates from fedora or debian. And having noscript when visiting pages is probalby better then not having it.

I hate to ask a super noob question but came across this problem earlier trying to transfer a file i downloaded in the dispvm. When a dispvm is started from loading the browser, how do I access the file manager for it? In other words say printing to file, i can't hit the show containing download folder, so how do I get to it? I'm probably missing something obvious but I coudln't figure it out lol.

[Bill Wether]

Even if you launch the browser first, you can still use qubes-manager to open a terminal in the dispvm. What I usually do is to bring up the dispvm with xterm instead of a browser.

The simple way to do this is via a hacked shortcut. (If you copy the dispvm browser shortcut to the desktop, you can poke around a bit and easily figure out how to do this.)

Regards

BillW

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

raah...@gmail.com:

You can run this command from dom0:

qvm-run dispX nautilus

Replace "X" with the number of your DispVM. (If it's a Debian-based
template, try replacing "nautilus" with "dolphin".)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW7K+cAAoJEJh4Btx1RPV8CF4P/3mNvV+T7rIrOKtPUmUVSxIH
m7AHCOsFMQurKr9JQGIQtW05KdZ92oQ2qO3ptnu2+PQWt/00L/upZ0sOgsQGRHCR
pLH+hyG2Ovqkb7yCDnGiVy/q5cqTNhEmUuDgOxbh6bcokMvSSH2zD0WNO2jqpKce
2z6TLm6r0wjjQWXluBfIj5Fjri0qPMMitXrrUqbI+LaNGpO57iYZX39b6aR1nxHq
CdIMxb2h0Z7z2JmZzFmlECpLUIDpEoVSP7zUsnPET4TtMQpwv2z5ZvDEFAqjCV4s
J6okAM8nzGQ1iQ+9RThkZ/KTBSa660Ww+oAl7+iVkv2b9FePjxYUn6GuHugi61gC
/Qrxec1nLftHfh2p59VVW+DcPAMwwVmCjdEdKyghCGvn5mwNXPah9HvGw0UAJ/6E
vCCaBsmnRiSovGUkozN5V2LvK/RuY6w563+NnS3Qs4i8+plLTEGIiHQTLPdH6jPc
ejVmM+0W/jdcpMoMfhJ+UP2hkDfDr3EZciZ4TGIA9wS4sYOGv5ZGwEV9z5DoLnI7
eYQw2MyrGKal6UVDyX/j3BYkKDcGEp2sWAiSs+WPif9Kwv5MIAqylWVSdEWBUD1I
HrWVMDPuM7FSEZvGVHkylmVIM3+ebvwnJVpC4wZqe9sVKIRVlPwvKSlu5qMmb3ql
BuAzopw5S+xxn437ehcf
=w48Z
-----END PGP SIGNATURE-----

[raah...@gmail.com]

great! tks alot man i was trying to run it from the appvm.

[raah...@gmail.com]

tks i was able to make a shortcut for loading browser in dispvm using a certain appvms firewall settings. when using qvm-run $dispvm or dispx in the appvm it wasn't working. now I know you have to do it in dom0 terminal. but no idea how to make a shortcut for that. I just might resort to using chrome instead of firefox for this particular appvm because in chrome you can easily call the file manager without having to download anything.