Jump to content

Recommended Posts

Posted

Hi again!

 

Eyeing your page on the secure design and implementation of PasswordState, I noticed that it's not yet possible to integrate with HSMs: Hardware Security Modules.

 

Right now, when installing PasswordState, we're given a password-protected ZIP file that has the encryption keys to the password database. These are a vulnerable target and will be a sought-after prize for any attacker. Instead of handling the encryption keys in such a manner, I would like to request that PasswordState be remodeled in such a way that all crypto keys can be locked away in an HSM. I've already put Thales nShield HSMs to good use in other use-cases and environments, and they've proven very valuable. Not only does an HSM ensure that your keys will never be stolen (if implemented correctly), depending on the make and model they will also ensure safe and secure backups of the keys. Many HSMs integrate nicely with Microsofts CNG API, thus providing a standard method for applications to hook into them.

Posted

Hi Buckit,

 

Yes, we do plan on HSM support at some stage - just working though many feature requests at them moment.

 

We also have other protections in place to mitigate against what you've suggested, and we generally don't recommend keeping an export of your encryption keys. As long as you have a backup of your Passwordstate folder, and database, this is all you need to recover. And you can encrypt the web.config file settings, have your database on a different server, and then you would need two elevated breaches to get access. And there is also other controls in place as well.

Regards

Click Studios

Posted
On 12/12/2017 at 10:31 PM, support said:

we generally don't recommend keeping an export of your encryption keys

The initial installation of PasswordState will not startup unless you accept the download of the encryption keys :)

 

On 12/12/2017 at 10:31 PM, support said:

Yes, we do plan on HSM support at some stage

I'll gladly be one of your test subjects!

 

Also, as a sidenote, let me note how much I love your forum software! It's user-friendly, good looking and has all the features I need. I just discovered the "select-text to auto-quote" feature! Great stuff.

  • 6 years later...
  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...