Manually revoke key #10
Comments
|
Hi, Thanks for the report. This issue will be fixed in version 2.0, which is going to be delivered soon. We've also added a button for manual revoking all currently stored keys. By now there is a standard way for the plugin to forget a key. You need to lock your db, request to unlock and choose cancel twice - in WinHello dialog and then in KeePass dialog. Best wishes, |
|
Would not be surprised if these keys are readable by MimiKatz. |
|
Hi, I would :) According to the description, We do not keep keys in any of these form, they are strongly encrypted by AES and built-in cryptoalgorithm of Windows Hello technology. Best wishes, |
|
Heres to hoping the private key never leaves the embedded tpm. MimiKatz would reconstruct the private key from it being sprayed all over the registry and filesystem, then pull plain text human readable domain admin password out of lsass.exe. If not in TPM, MimiKatz will find that key sooner or later if it has not already. Who really needs the WinHello private key? Since it could read lsass.exe, could also read passwords out of keepass.exe. |
|
Well, theoretically speaking, you could do anything if you run your code with admin privileges - there is no way to get protected against it in principle. But in practice, anyway, you have to overcome a lot of technical obstacles and be lucky to obtain a particular effective key from inside of KeePass process. KeePass and, we believe, our plugin do as much as possible to protect user's data. Still, one has to take into account that all data is vulnerable while a malicious code is running under an elevated token. |
|
We've implemented a permanent storage in our new release v3.0. |
When the initial validity time range was defined to 'Unlimited' is there a way to revoke the key and requires for the original password again? I thought it might be enough to switch back the time range but it does not seem to have any effect.
The text was updated successfully, but these errors were encountered: