[Question] safety of encrypting the master key

[rex993]

With the latest version, the release notes state:

Removed comparison of the QuickUnlock key and the input of the user. Instead this version encrypts the master key of the database with the QuickUnlock key and decrypts the master key with the user input. If wrong user input is provided the decryption just generates garbage and the database stays locked.

When the master key is encrypted, how safe is this process? Is this stored in memory and destroyed when KeePass closes? Can you elaborate how it works to assure everyone that may have similar questions?

This is extremely handy (just like the keepass2Android feature) and is a life saviour. It's not fun retyping a long key every 10min!

Cheeers

[JanisEst]

When the master key is encrypted, how safe is this process?

The master password gets encrypted with ChaCha20 (>=2.35) or Salsa20 (<= 2.34) and is stored with the ProtectedBinary class from KeePass. If you trust the encrypted KeePass database file, you can trust the encrypted master password.

Is this stored in memory and destroyed when KeePass closes?

The ProtectedBinary data gets destroyed when KeePass closes. That's the reason QuickUnlock doesn't work for the first time because there is no stored data.

If this doesn't answer your questions or you have more questions, please ask.

[rex993]

I now understand how your plugin works and my mind is now at ease.

Thanks again for the great on this plugin. I can't live without it now!