Connection security levels

documentation

#1

Introduction

When a client (e.g. the Kee browser addon) connects to KeePass with the KeePassRPC plugin, it encrypts the communication between itself and KeePass to help protect your passwords from some types of malware.

For this encryption to work, there needs to be a secret key/password that is shared between the two communicating partners - in our case that is the Kee add-on and the KeePassRPC KeePass plugin.

Both ends of the connection need to store the secret key in a safe place; the security level you choose will affect where and how these keys are stored.

No matter which security level you use, the actual messages travelling between your web browser and KeePass are encrypted with the highest available security.

Which security level should I choose?

Most people will be happiest with the default medium security level - it provides a good balance of security and convenience.

If you want higher security you can either:

  • Select the high security level which will ask you to type a new short password every time you connect a KeePassRPC client (such as the Kee addon) to KeePass. A new secret key is created from each password you type.

  • Adjust the “Authorisation expiry time” to decrease the length of time that each secret key is used for. The default expiry time is one year.

You should only choose the low security mode if you are performing a short-term test to diagnose problems that prevent you from using a higher security level.

Technical detail about exactly what is different between each security level can be found below.

Connection security options

There are a few security options for each end of the connection. Naturally you should select the highest security level that you can but there are lower security options available for those who can’t justify the extra time required to use the higher security options.

We strongly recommend NEVER using the low security options unless it’s the only way that you can get your computer to establish a connection between KeeFox and KeePassRPC (if that is the case you should ask for help on the forum and be prepared to re-install some faulty parts of your computer).

The table below explains where the secret key is stored.

Kee (Firefox/Chrome) KeePassRPC (KeePass)
High Not stored Not stored
Medium Add-on/extension storage location* KeePass config file (Windows users: encrypted - strength depends on your windows logon password; Linux/Mac users: protected only by standard filesystem permission ACLs)
Low Not applicable KeePass config file (unencrypted)

* This storage location is not encrypted by default. Neither Firefox nor Chrome currently offer a way to encrypt this. However, such encryption would offer no security or convenience improvement over the behaviour of the High security option. So, while this is a change to the way that KeeFox used to work, it is no reason to be alarmed.

High security levels mean that a new password is randomly generated every time a client (e.g. the Kee addon) connects to KeePassRPC. This is probably too intrusive for many users but you might decide that the extra security is worth the added inconvenience in your situation.

Clients other than Kee will store the secret key in different locations. You should consult the documentation specific to that client. For example, KeeFox security levels are described on this documentation page.

Restricting connections

You can optionally require that the other end of a secure connection uses a minimum security level before a connection can be established.

Note that security levels can be spoofed by the other connecting party so they should be used as a convenience for the end-user to encourage correct behaviour rather than a guaranteed contract.

Key expiration

You can set an expiry time for the secret key that clients like the Kee addon use.

The “Authorisation expiry time” configures the maximum time that your authorisation (via the random password) with KeePassRPC will be valid. Set a value in hours from 1 to 43800 (5 years). The default setting is 8760 (1 year). Set this value in the KeePassRPC options window.