vnau / keepass2trezor Goto Github PK

View Code? Open in Web Editor NEW

11.0 3.0 1.0 3.44 MB

🔐 Trezor Key Provider plugin for KeePass Password Safe 2.x Password Manager

License: GNU General Public License v3.0

C# 100.00%

keepass keepass2 trezor key-provider plugin keepass-plugin

keepass2trezor's Introduction

KeePass2Trezor

Less clicks, more security.

The KeePass2Trezor plugin for KeePass 2.x leverages Trezor's security design to encrypt your password database. The decryption key can only be accessed by physically pressing the confirmation button on the Trezor device.

It supports Trezor One, Model M and the new Safe 3 on Windows and Linux.

Features

Secure Encryption: Your KeePass database is securely encrypted using your personal Trezor device.
Simple Unlock: Unlock your password manager with a single click on your Trezor button.
Recovery Seed: Use a 24-word recovery seed to regain access to your passwords.
Optional Master Password: Can be used with or without a master password.

How to Use

Download KeePass2Trezor.dll from the latest release.
Copy the DLL to the Plugins folder of your KeePass 2.x installation.
Create a new database, selecting Trezor Key Provider in the Key file/provider field.
Follow the instructions, unlock your Trezor if necessary, and confirm decryption of the key by pressing the button on the device.

Linux Users

While the plugin works on Linux, additional steps are required:

Configure udev rules:
- Follow the udev rules configuration guide to establish communication with Trezor devices.
Install mono-develop package:
- Ensure that the mono-develop package is installed, as the plugin relies on netstandard2.0, which is included with it.
Check libusb-1.0 installation:
- Verify the installation of libusb-1.0-0. If KeePass2Trezor still hangs with the message "Connect your Trezor device" even with libusb installed, consider either creating a symlink according to this instruction or install libusb-1.0-dev package to address the issue.
Reconnect the device:
- After completing the configuration steps, disconnect and then reconnect your Trezor device to ensure the changes take effect.

Requirements

KeePass 2.35 or newer
.NET Framework 4.6.2 or higher
libusb-1.0 for Linux

Security Considerations

⚠ If your device is lost or broken, you will need to purchase a new Trezor or build a PiTrezor and initialize it using the saved seed phrase to regain access to the KeePass database.

⚠ Exporting the database in any format except kdbx will cause loss of the Key ID and make decryption impossible. This is because other formats do not support public custom data (unencrypted) where the Key ID is stored.

Technical Details

KeePass2Trezor is a key provider plugin for the KeePass 2.x password manager. It uses a similar approach to derive the master key as the Trezor Password Manager described in the SLIP-0016 document.

Contribution

🌱 Contributions are welcome! If you have any ideas, suggestions, or bug reports, please open an issue or submit a pull request.

License

This project is licensed under the MIT License. See the LICENSE file for details.

keepass2trezor's People

Contributors

Stargazers

Watchers

Forkers

70p4z

keepass2trezor's Issues

Prevent loss of key ID when exporting in formats other than KDBX v4

When using KeePass2Trezor key provider plugin, each KeePass database is encrypted with its own key generated by Trezor. If the database is in KDBX v4 format, the key ID is stored in the file's public user data header. However, other database formats do not have such public, unencrypted data available until the database is decrypted. Thus, saving the database in other formats may result in the loss of the key ID and make it impossible to decrypt the database.

To avoid losing the key ID, it should also be stored in an auxiliary file, at least for all formats except KDBX v4.

Ability to require button press per-password?

One of the huge advantages of the original TPM was that a button press was required for each specific password you wanted to decrypt. It seems like this implementation is a button press that decrypts the entire DB at once. Is there any way to modify this so that a button press would be required to decrypt each password?

So:
One press to open the database file
One press to decode any entry, every time.

More than 1 database with Trezor. Possible integration with KP2A

It works well. Thank you very much. The only issue is that I cannot find a way to choose which database once I created 2 databases using the same Trezor. And, it would be great if you could make it work on an Android version such as Keepass2Android.

How to use it in Linux?

Hi! I've tried this plugin in mono and wine environments but expectedly Trezor didn't recognized. Any ideas?

Trezor Safe 5 compatibility

Привет! У меня есть Trezor Safe 5, но плагин с ним не работает. При попытке создания базы данных на основе Trezor Safe 5 следующая ошибка:

При этом на экране на полсекунды появляется сообщение:
"Please enter your passphrase" и далее устройство "виснет" с сообщением "Please wait"

Я готов принять участие в тестировании и могу предоставить удаленно ПК для теста и отладки, чтобы плагин получил поддержку нового Trezor.

Быстрая связь только по Telegram.

How to use it in Linux?

Hello,
i wanna try this plugin on linux ubuntu 22.04, but i have same behavior like your close issue.
How to use it in Linux? #2
I tried compiled from source, but nothing helped ? Do u have any ideas, whats wrong ?
Thanks

Is Trezor Model T supported?

Although the Trezor.Net library used in the project supports Model T and the process is almost the same as for Model One, I have no ability to check if KeePass2Trezor actually works with with it smoothly.

It would be great if someone could confirm/deny the possibility of working with Model T and describe the problems that have arisen, if any.

Crash when creating new database

Using KeePass 2.53.1 and KeePass2Trezor 0.1.1 the app crashes when creating new database. After clicking OK button in Create Master Key window there is "Connect your Trezor device" window displayed for a moment, then without any error popup whole app ends/crashes.