🗒️ KeePassRX: Quick Unlocking

KeePassRX supports a quick unlocking feature. This allows you to easily and securely unlock the database without having to type the entire master password again. This is done in a secure manner. The app does not simply keep your master password in memory.

When the database is successfully opened, the master password is encrypted using industry-standard encryption and stored in the Linux kernel's Key Retention Service (KRS). The passcode/short password is securely hashed and used to generate the encryption key for the master password.

It is easier to brute force a short password than a long one. Keep that in mind when enabling this feature.

When "locked," the app actually closes the password database. It doesn't maintain sensitive usernames and passwords in memory any longer than necessary. If a key file is used, the key file is stored encrypted in memory with a master key so that the database can be unlocked.

• When database is fully closed, key files are removed from memory.

Technical Details

KeePassRX uses the well-known libsodium library for encryption, password hashing, and secure memory management. The master password is kept in memory only long enough to open the database and then encrypt it using a shortened version (passcode). The cleartext master password and passcode are then ejected from memory.

When in cleartext, the passwords are stored in libsodium secure strings, which provide protection against timing attacks and various memory tricks. The memory for the values is also explicitly zeroed out when the app no longer needs to use the values.

Implementation Status

The implementation is a work-in-progress. When typing the password into the UI, that is stored as a normal C++ string. Additionally, there need to be more settings for the user to increase the length of the passcode, and give control over how many failed attempts are allowed before ejecting the encrypted master password from memory.