Is keeping a KeePass file in Dropbox safe? [closed]
Solution 1:
The question here is not whether you trust dropbox, but whether you trust keypass. If your password vault gives up its secrets when someone else gets hold of it, then you will want to find something else.
Keypass uses AES-256 for encryption, which remains the de facto standard, and SHA-256 to create a key from your passphrase along with a salt.
So the encryption method is good. So then you'll want to consider if there are any implementation weaknesses that can be exploited by someone getting hold of your vault. Well keepass seems to do a rolling encryption method, where the file is split into blocks and multiply encrypted. A brute force attack would take time, and you can increase the keys per second that can be tested when creating the database. Choose for it to do many rounds. This means that it takes time for a key to be tested. For you, it means you have to wait for a second or so for the database to open. For an attacker, it means they have to wait a second or so to test their next key.
There are other protection methods employed, but aren't relevant to this scenario, like keeping the vault contents encrypted in memory when the vault is open.
You should review the security methods used, and if you feel happy that if the vault fell into the wrong hands that you'd be safe, then go for it.
Solution 2:
There are different degrees of security, and the convenience of Dropbox versus the security of what you're trying to do are something you'll need to evaluate for yourself.
Also, security depends upon the weakest point. If any of the following are compromised, then your files are exposed:
- You (forget to log out, leave your password on a sticky, share your dropbox with someone else)
- Every computer you have Dropbox synced to. Are they using strong passwords? Software up-to-date? Are their disks encrypted? Do they have autologin turned on?
- Your network connection to Dropbox. Do you have a firewall? Is your modem/router's firmware/software up-to-date? Are they configured properly?
- Dropbox's software, network and computers.
- Amazon S3 (where your files are stored).
Consider the following and that may be able to help you make that decision:
- The database file will be stored on every computer you have your dropbox installed.
- Dropbox stores a backup copy of the file locally, even when you delete the file.
- You need to ensure that the folder you're storing the file in is not marked public.
- It is possible for someone at the company to read your files. According to the information at the link, only a select few people have access to your data and they supposedly only will access it if subpoenaed.
- Dropbox stores your files on Amazon S3, which means that it is possible (albeit very unlikely: they'd have to be able to decrypt it) for someone at Amazon to access your data.