Vaultwarden vs KeePassXC for extreme security
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
For high value accounts, use 2fa with hardware tokens if you can, and maybe use front a dedicated computer (old laptop) with a bare bones software installation to minimize the likelihood of malware.
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
the entire entire database is decrypted on unlock.
That would be the selling point for me to choose KeePassXC over Vaultwarden.
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
I'll start by saying that if your device is infected with malware and they can access memory as the root user of the system there's very little you can do. Also, I'm not a security professional by any means, nor am I a desktop application developer - I've mostly done stuff with web services/applications, but I'm going to go out on a limb and say that KeePassXC will be more secure.
When you login to the Vaultwarden web application it's going to exchange your passphrase for a private key. Ideally, this exchange is done over HTTPS with certificates you have trusted (not ignored), but it's still an exchange of your keys over the network. So, you must always be able to trust your network, even if using HTTPS, and be able to attest for yourself that neither your VPN nor your LAN have been tampered with in anyway that could allow for a man-in-the-middle attack. You also have to be able to trust your web browser, add-ons, and system, because your passwords (at some point) are going to be unencrypted JavaScript strings floating around in memory.
In comparison, a KeePass database is, in your case, only going to be transferred over the network via Syncthing, which you can now set a custom encryption passphrase for, while being a fully[1] encrypted file. The processing for KeePass will also be done on-device and can be sand-boxed using Snap/Flatpak or ran using FireJail and supposedly, as you mentioned, as good memory protection.
[1]: Some optional metadata, like a database display name and icon aren't encrypted.
-
I'll start by saying that if your device is infected with malware and they can access memory as the root user of the system there's very little you can do. Also, I'm not a security professional by any means, nor am I a desktop application developer - I've mostly done stuff with web services/applications, but I'm going to go out on a limb and say that KeePassXC will be more secure.
When you login to the Vaultwarden web application it's going to exchange your passphrase for a private key. Ideally, this exchange is done over HTTPS with certificates you have trusted (not ignored), but it's still an exchange of your keys over the network. So, you must always be able to trust your network, even if using HTTPS, and be able to attest for yourself that neither your VPN nor your LAN have been tampered with in anyway that could allow for a man-in-the-middle attack. You also have to be able to trust your web browser, add-ons, and system, because your passwords (at some point) are going to be unencrypted JavaScript strings floating around in memory.
In comparison, a KeePass database is, in your case, only going to be transferred over the network via Syncthing, which you can now set a custom encryption passphrase for, while being a fully[1] encrypted file. The processing for KeePass will also be done on-device and can be sand-boxed using Snap/Flatpak or ran using FireJail and supposedly, as you mentioned, as good memory protection.
[1]: Some optional metadata, like a database display name and icon aren't encrypted.
When you login to the Vaultwarden web application it's going to exchange your passphrase for a private key.
bitwarden is end to end encrypted: your decryption keys never leave your device, and the server certainly never sees them
you must always be able to trust your network
this would be a horrible password manager. this is also not how bitwarden works
you do still need to trust your server if you use the web interface, because any web interface can serve malicious components to exfiltrate whatever they like but native apps, assuming they’re verified appropriately, could communicate over HTTP and still not allow anyone actively monitoring your network to see any data that would be particularly useful
-
When you login to the Vaultwarden web application it's going to exchange your passphrase for a private key.
bitwarden is end to end encrypted: your decryption keys never leave your device, and the server certainly never sees them
you must always be able to trust your network
this would be a horrible password manager. this is also not how bitwarden works
you do still need to trust your server if you use the web interface, because any web interface can serve malicious components to exfiltrate whatever they like but native apps, assuming they’re verified appropriately, could communicate over HTTP and still not allow anyone actively monitoring your network to see any data that would be particularly useful
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
On most systems copy pasting is heavily insecure since a lot of processes have access to the clipboard. autotype and thinga like browser extensions are considered more secure.
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
For the most part I think both systems are pretty even to protecting the passwords that are on your actual machine. One pro that I can think of for vaultwarden is its less likely that malware would be able to find it since it runs on the browser. One con of this is however you have an additional attack vector that is the server vaultwarden is running on. Should an attacker gain access to that server they could easily replace vaultwarden with a malicious version and grab your password that way.
-
Maybe I’m misunderstanding something then, what’s the private key embedded within the client API’s profile response?
which endpoint are you referring to?
there are passwords exchanged when using the vault management API, but AFAIK that’s for local access (eg CLI talking to the app)
i’m no expert on the specifics of the API; just in the description they give: https://bitwarden.com/help/what-encryption-is-used/
Bitwarden always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. Bitwarden servers are only used for storing encrypted data.
…
PBKDF2 SHA-256 is used to derive the
encryption key from your master passwordthis is exactly the way this should be done. any deviation from this formula by a password manager with a server component should be viewed with extreme scepticism
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
You’re thinking about this wrong.
Instead of trying to pick the one that will handle a fail state best, you can more effectively assume a fail state and take steps to mitigate it. That is to say: implement key (in your case, password) rotation.
Just establish a trusted system, log in and change your passwords periodically.
You can even do rolling rotation where you only change a few each week.
If that doesn’t seem like the right choice to you, then consider this: you’re thinking about an unconfirmed or possibly even uninvestigated situation where your secrets have been compromised. The solution isn’t to find the secret handling software that deals with this situation in the best way possible, it’s to change secrets.
-
I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?
Vaultwarden
- Only accessed locally via LAN/VPN
- Set up for 2 factor authentication using WebAuthn (FIDO)
KeePasssXC/KeePassDX
- Synced locally via syncthing
- Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
- All clients blocked from internet access
I don't use browser extensions and I manually copy/paste my passwords to fill in entries.
KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.
If you want paranoid level security, psono is probably worth a look.
-
System shared this topic on
