password management in QubesOS

[ix4...@gmail.com]

How does QubesOS allow us to solve the password management problem in more creative ways?

With non-Qubes systems I use a TrueCrypt hidden container with a quite strong passphrase, stored on Dropbox. This gives me my passwords on multiple machines, both Windows and GNU/Linux, and some deniability in case I'm asked by border officials to decrypt that file (I have other passwords in the decoy partition of the TC container). The problem with this model is that GameOver (TM) simply takes one keylogger which captures my hidden passphrase to TC. It's also cumbersome because one has to enter the passphrase every time the password vault needs to be unlocked. I alleviate some of the usability pain by storing some passwords in the browser password manager.

How can I improve this by using QubesOS' unique security features? Would I keep a list of ridiculously long KeePassX master passphrases on a plain text file on Dom0 and then copying/pasting to other domains to unlock domain-specific KeePassX databases, holding all my domain-specific passwords?

This would give me reasonable usability (assuming it's okay to leave a KeePassX db unlocked while using its AppVM), but it would also only safeguard the crown jewels (Dom0) with my weak screensaver-lock-only user password in case of physical theft.

I'd be interested to know how people have solved this problem, either for a single QubesOS device or (more challenging) for multiple (including traditional OS) devices.

Alex

[Andrew Sorensen]

Currently I have a dedicated AppVM for passwords. When I need to
retrieve a password, I look it up in the passwordvm and copy it using
the Qubes clipboard to the VM I need the password in.

[Zrubecz Laszlo]

On 27 May 2013 10:14, Andrew Sorensen <andre...@gmail.com> wrote:

> Currently I have a dedicated AppVM for passwords. When I need to
> retrieve a password, I look it up in the passwordvm and copy it using
> the Qubes clipboard to the VM I need the password in.

I'm doing the same: using a dedicated AppVM without network access.



--
Zrubi

[ix4...@gmail.com]

Hm... how do you backup your passwords with this setup?

[Andrew Sorensen]

On 06/01/2013 05:47 PM, ix4...@gmail.com wrote:
> On 27 May 2013 09:53, Zrubecz Laszlo <ma...@zrubi.hu

> <mailto:ma...@zrubi.hu>> wrote:
>
> On 27 May 2013 10:14, Andrew Sorensen <andre...@gmail.com

> <mailto:andre...@gmail.com>> wrote:
>
> > Currently I have a dedicated AppVM for passwords. When I need to
> > retrieve a password, I look it up in the passwordvm and copy it
> using
> > the Qubes clipboard to the VM I need the password in.
>
> I'm doing the same: using a dedicated AppVM without network access.
>
>
> Hm... how do you backup your passwords with this setup?
>

You can copy files between AppVMs or do your backups on the host with
qvm-backup.

[ix4...@gmail.com]

I believe there are four necessary conditions for a decent backup:

1. Automated - I don't have to do anything for it to protect my files all the time
2. Remote - If my house/office burns down, there is still a retrievable copy of my latest files somewhere
3. Versioned - If I screw up one of my valuable files without realising it, I can always retrieve an earlier version.
4. Encrypted - all destination containers can only be accessed by me

I currently have a setup with my non-Qubes systems that meets these requirements, both for my regular files and for my password vaults. It requires me to trust the TrueCrypt and CrashPlan binaries I use, which in my case I consider an acceptable risk.

I'm not sure how to adapt my existing setup to Qubes, without making Qubes' extra security properties moot.

[tim.t...@gmail.com]

What program are you using for this? Does it have a simple "copy password to clipboard" button which doesn't ever display that password on the screen? Currently, I use an encrypted text file and grep, but it suffers from the fact that anyone looking over my shoulder can see my password...

Tim

[Joanna Rutkowska]

On 04/01/14 09:22, tim.t...@gmail.com wrote:
> What program are you using for this? Does it have a simple "copy password to clipboard" button which doesn't ever display that password on the screen? Currently, I use an encrypted text file and grep, but it suffers from the fact that anyone looking over my shoulder can see my password...
>
> Tim
>

FWIW I use KeePassX and I run it in an network-isolated dedicated AppVM.
But I think *any* password manager should be just fine.

j.

[Zrubi]

On Tue, Apr 1, 2014 at 9:22 AM, <tim.t...@gmail.com> wrote:
> What program are you using for this? Does it have a simple "copy password to clipboard" button which doesn't ever display that password on the screen? Currently, I use an encrypted text file and grep, but it suffers from the fact that anyone looking over my shoulder can see my password...

Actually I'm using the standard (gnome default) seahorse.
But it has not any feature like copy passwords without seeing it.

--
Zrubi

[tim.t...@gmail.com]

http://passwordsafe.sourceforge.net/ has proper copy to clipboard functionality.

Tim

[Zrubi]

On Tue, Apr 1, 2014 at 1:32 PM, <tim.t...@gmail.com> wrote:
> http://passwordsafe.sourceforge.net/ has proper copy to clipboard functionality.

If You using windows to store passwords... I'm definitely not.


--
Zrubi

[timoth...@seznam.cz]

It's definitely not windows only, though I'll admit that it looks like it is on the webpage I linked to...

Tim

---------- Původní zpráva ----------
Od: Zrubi <ma...@zrubi.hu>
Komu: tim.t...@gmail.com
Datum: 1. 4. 2014 12:25:08
Předmět: Re: [qubes-users] password management in QubesOS

[Micah Lee]

I also use KeePassX on a network-isolated AppVM. It has convenient
shortcut keys for copying the username and password onto the clipboard,
and it never displays your password to the screen if you don't want it
to. It also has an excellent password generator that you can choose to
seed with entropy from the mouse.

I also like it because it's free software, doesn't try to store my
passwords in the cloud, and isn't integrated with a web browser, like
most of the popular competing ones do.

> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To post to this group, send email to qubes...@googlegroups.com
> <mailto:qubes...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/qubes-users.
> For more options, visit https://groups.google.com/d/optout.

--
Micah Lee

[tim.t...@gmail.com]

Aha, now I see that keepassx DOES support copying to the clipboard... I tried it out and somehow missed that button.

Tim

[Joanna Rutkowska]

On 04/01/14 16:12, Micah Lee wrote:
> I also use KeePassX on a network-isolated AppVM. It has convenient
> shortcut keys for copying the username and password onto the clipboard,
> and it never displays your password to the screen if you don't want it
> to. It also has an excellent password generator that you can choose to
> seed with entropy from the mouse.
>
> I also like it because it's free software, doesn't try to store my
> passwords in the cloud, and isn't integrated with a web browser, like
> most of the popular competing ones do.
>

Doesn't send all my passwords to the cloud, you say? Ah, how cool is
that! What a nice software! :)

Interesting, how we've started to appreciate things that should be just
a norm...

Ah, that's because anti-privacy is a "new norm" today. Even in the Linux
world -- here's a nice read for all those people who want an Ubuntu
template in Qubes:

https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks

(On a side note: I find the Shuttleworth explanation quoted there just
ridiculous -- trusting the vendor not to inject me malware via updates
is a totally different thing than entrusting them with my personal data,
which they can read and process however they like without the risk of
being caught).

joanna.

[Axon]

Joanna Rutkowska:

Actually, Ubuntu with Unity is perfect for Qubes because we always talk
about assuming that VMs are compromised, so now we can show how serious
we are by using an OS with a built-in keylogger!

[Micah Lee]

On 04/03/14 18:47, Axon wrote:
> Actually, Ubuntu with Unity is perfect for Qubes because we always talk
> about assuming that VMs are compromised, so now we can show how serious
> we are by using an OS with a built-in keylogger!

Not for long (...in about 7 months, when 14.10 comes out):

https://micahflee.com/2014/04/ubuntu-is-finally-taking-privacy-seriously/

--
Micah Lee

[cprise]

As you may recall, I want something 'scarier'... An Ubuntu-derived dom0 to more expertly handle hardware features and dispense with short/uncertain support schedules (not to mention a well-maintained HCL that leaves others in the dust).

However, I can't say the Amazon integration was anything other than a disappointment. In Ubuntu/Canonical's defense, the Dash dialog plainly states in large font "Search your computer and online sources" at each prompt. There is a related setting in the Privacy section of the control panel. Its crappy this is the default, but neither are users left unaware even for a second nor prevented from disabling/removing the misfeature. So I feel that Canonical is trying to walk a line between good and bad behavior with the Dash.

OTOH, Ubuntu is better without Dash anyway-- And the effort required to remove Dash/shopping and install Classicmenu on Unity is very minimal. This has presented no problem to derived distros like Mint and Trisquel. Interestingly, even purists like Richard Stallman use an Ubuntu offshoot!

BTW, I also find Shuttleworth's explanation pretty inane. But its easy to ridicule most security-related PR from before June 2013, when public perception began to shift on the topic. He doesn't seem intent on pulling any MS-style weld-it-all-together moves.

Being downstream from Ubuntu is not a point of concern, IMO. Trusting Canonical still makes infinitely more sense than trusting Microsoft.