Suggestion: support for key file stored on hardware wallet like Trezor

I’ve read some critical comments regarding storing encrypted password database in the cloud, yet the chance that AES 256 get cracked is million times lower than that of the master password and offline database get stolen by keyloggers and malwares.

However, this is also why at the moment I have zero interest in Kee Vault: it offer nothing new compared to similar services, while at the same time lacked the key file function of KeePass.

If Kee Vault can support key file stored in secured physical device like Trezor, this will be a very strong defense against the most plausible scenarios of password theft.

I’ll obviously disagree with your point that Kee Vault offers nothing new - if it didn’t I wouldn’t have spent a year developing it :slight_smile:

However, I’ll leave the info on the website and other topics here to cover all the benefits and just ask specifically about this Trezor system you would like to use.

What makes it immune to malware running on your local system? I get that various hardware enclaves in a system might offer some protection from user and kernel resident malware (the jury is out on whether any have actually achieved this yet but let’s assume for a moment that they have). What I don’t get is how this offers protection to the encryption keys that a password manager utilises to protect the database.

Perhaps you could explain how this Trezor device protects the key material?

And in what way does this differ from the typical KeePass key file which simply adds material from a different part of the infected local system that you’re trying to defend against?

To be clear, I’m all for adding other types of authentication material to Kee Vault in future but right now I don’t see any security benefit in doing so and hence such development work doesn’t have the highest of priorities. Happy to adjust priorities if I’m missing a trick here though!

I am not an expert so obviously I don’t understand the technical details behind. But as I understand, the most possible identity theft scenario is that a malware infects the system, scans for and grabs all database files, then uses keylogger to get the master password.
Treyzor and the likes originally were designed to protect the private key of crytocurrecies. The manufacturer claims that the device will store and use the key in a way that the key itself never leave the device, nor can be extracted. Thus, theoretically the private key itself is near immune to malware attack. Obviously I don’t know how truly secured this is, but given that Trezor or other hardware wallets are pretty common among cryptocurrency users, I think they do work. afaik, Trezor provides API to developers.
Many people including myself use Keepass with a key file stored on usb sticks. Needless to say this doesn’t really improve security as a sophisticated attack will look for key file anyway. A method to store the key file securely like how hardware wallets store private key would be really helpful.