What is going to be the best/most secure policy when using a key file with Keepass? I know that storing it elsewhere (USB Stick, etc.) is the best option, but I do not want to do that. Actually I would prefer to use a key file which stays on HDD. However, Keepass says: Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret – selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective. So, what is your opinion on this?
@dogbite I would employ two options with the keyfile apart from the most convenient which is a USB or locally stored on a HDD volume which leads me to point a). HDD or USB Both encrypted a) Store the keyfile on HDD but in an encrypted volume with Trucrypt with a separate password to that of the KeePass data file. So not only would an attacker need to know the Trucrypt file password to access your keyfile, they would then need to use that to access the Keepass interface in which they would need to know your Keepass data file master password to access your passwords. If you know what I mean. Android b) If you have an Android phone, store the keyfile in its internal storage encrypted with ES File Explorer. So an attacker would simultaneously need your mobile and your desktop to access your passwords. They would need to potentially guess three passwords, 1) your phone 2) ES File explorer encrypted volume password 3) Keepass Data file master password. You just need to unlock phone, unlock ES Volume, point Keepass to it and when you are done re-lock ES file. It only needs to be done once when your at home for example if you don't automatically re-lock interface after a set time. If its a hastle, still just leave it on your phone in the internal storage. Personally for me I use my USB. I have no issues with that as I always carry a USB as most of the time im at work or undertaking postgrad studies. There is however method a) on my HDD as backup. End of the day I would find a way to hide the keyfile somehow, since you want to keep it locally. JUST MAKE SURE that the keyfile you created is to be used in conjunction with a master password and not without. Keepass can make keyfiles to be used INSTEAD of master passwords. regards.
Thanks. Unfortunately I have an iphone which makes the use of a key file kinda tricky because you never know where this **** iOS is placing your file..or eventually how to access it.
That is like a keeping a key next to a door under a mat. External solutions would be the best options for security. But lets not forget about backing it up multiple times, because you will probably never forget a password, but if the file gets lost, everything encrypted with it, will be lost too.
