infinitieunique Use
https://f-droid.org/packages/org.cryptomator.lite/
So that GDrive won't know what you are storing there, because the files will be encrypted and only decrypted locally on client side (passphrase never leaving your device).
For the record, if you want GDrive with Cryptomator, then avoid the Fdroid variants and use either GPlay or their Github apk (not the "lite" or "fdroid" ones).
[deleted] giving it to Google to look after
That's the thing. I am trying to not to. That's kinda the whole point of my question (how to make so that I dont) if you were to be more observant
I replied to the "off topic" title of your post, which was a question after all. (I was observant enough to see the question mark at the end..)
If I understand correctly, the database file is stored by Google, but you open the file with a local KeePass program? In this case, Google only ever sees the encrypted database file. It is decrypted locally in RAM by KeePass, but never saved unencrypted. Then your database is as secure as your password.
areaman yeah, that's kinda what I am trying to figure out. Becuae in case it only ever gets decrypted in RAM then I am good, but if the passphrase leaves the ram and interacts with the disk (in my case gdrive filesystem) then I am screwed.
Who knows, maybe it, for example, gets decrypted and then written down to the disc temporarily and then gets encrypted again when you save changes and lock it...
The key should never be written to disk by the KeePass application assuming you use a reputable implementation. Even ignoring cloud storage, that would be a security issue on its own as it could allow another application to access the key, and there is no reason to do so. I use KeePassXC, but there are others.
areaman well, not necessarily the passphrase itself, but rather the file in its decrypted state for the duration of the time when user opens and makes changes to the database, that is what I am concerned about.
areaman I use KeePassXC
I use its closest most functional alternative for android: KeepasDX (XC is not available for droid if anything)
Guess it is pretty reputable.
UPD: already asked this question on DX's github page, let's see if they will respond.
infinitieunique The file itself is never in a decrypted state. When you unlock the database, the encrypted file is read, and a decrypted copy is created in RAM. The file does not change state and is always encrypted.
So the answer is: no, it isnt getting sent to the filesystem 🥳 (at least according to this guy from the official github of KeepasDX).
So incasha were wondering if its safe to store your .kdbx file on a cloud storage that you do not trust not to peek then: yes, as long as the password is strong and the app is reliable (at least this app is)
infinitieunique I do not store anything sensitive in cloud especially password managers database. If someone get the file they can brute-force it there is no restriction since its a local file, even if we use a key file there might be some vulnerabilities which going to be found in the future. Though the chances are less dont take that risk, and finally you decide whether you need to consider this threat or not.
i know you found your solution but syncthing may be an easier and more trustworthy solution in the future/if you decide you'd like to avoid google anyway. been using it for this exact use case for quite some time (temporarily unable to set up my NAS)
infinitieunique Does the DB password ever get sent to the google servers
No
infinitieunique Or is decryption done entirely on client side?
Yes
infinitieunique are you seriously suggesting to trust MEGA instead of Google? 🤣 sure bud, law enforcement won't just subpoena them for your passwords they have stored on THEIR servers (supposedly encrypted but even if so you can't verify whether they also hold decryption keys). Or idk, they will heroically protect you, unlike those filthy Goole pigs 😃 haha
Mega may not be a good alternative, but if they're indeed waiting for a subpoena to fork over your data it's already a big improvement over Google sending it real time to Prism without having to be asked.
Dan-cer What cloud would you recommend?
Proton Drive, Tresorit and Peergos are the suggestions from https://www.privacyguides.org/en/cloud/
You can use Cryptomator as suggested to protect your files inside Big Tech clouds, but I'd rather not even connect to their servers at all.
infinitieunique before I set up a local NAS
I've been toying with this idea too, but it's soooo much trouble to do it right.
infinitieunique It has open source clients. You can check that its E2EE yourself. So yes, stroing stuff in Mega is safe..
