I am looking at the unhappy prospect of having lost several year’s work. The last backup has a corrupted header or a bad password.
There has been a lot of chaos, but I am reasonably certain the backup passphrase I keep in my most recent keepass database is the one I have always used.
I wonder if I simply typed in the the wrong passphase on this last backup? Consistently, twice, when making the backup, which is a very ‘me’ mistake to make, which is why I love a good password manager…
Which brings me to ask: why, during the Backup tool’s wizard, why in god’s name can’t the passphrase be pasted in from a database? Surely its safer and more effective?
I wonder if I simply typed in the the wrong passphase on this last backup? Consistently, twice, when making the backup, which is a very ‘me’ mistake to make, which is why I love a good password manager…
[… 13 lines elided]
That’s why I always click on the “show the passphrase” button after I
type them twice, and visually confirm that I entered my good passphrase
correctly.
Sorry for your loss. Speaking for myself, recently I’ve successfully
recovered my complete QubesOS backup on my computer, however, I was
sweating bullets fearing it might fail (and I, too, might’ve lost years’
personal data).
I’m able to copy/paste into the backup GUI’s password field.
If your password manager is in another qube, then keep in mind that you can’t easily copy/paste into dom0 from another qube. This is by design, since copying into dom0 is a security risk. However, there are several workarounds available, which are documented here:
I also do visual check of the password in Dom0 - or copy paste from a temporary file. I should do a backup-restore more often.
This is off-topic, but do you have a strategy for trying to find your error or crack your password/passphrase ?
My first ideas - maybe you are already trying them :
try to get to the same conditions where you made the backup, and then type your pw into a text document, without looking, exactly as you did to create the backup - for the possibility of a sticky keyboard. Repeat until you are sure that there are no bad keys…
The “emergency backup restore” document gives a way to extract the metadata and its encrypted version. If you can come up with a list of candidate passwords, it should be possible to automate the testing. It will be far more efficient than typing them by hand in the backup app, and it only requires the two small metadata files from the backup, which do not contain any more than the time of the backup, I think.
How to get a list of candidates? Is not so clear. Maybe some of the following:
export all your regular passwords that you might have used without thinking.
try a password cracker for mangling…
do some manual mangling, if you have your own personal “typing failure modes” ?
It would be horribly slow, but it could help get your data back.
Thanks. Done the manual mangling thing already, with typical typos. Complicating factor is I duplicated my password database (tried to make a less-populated version for a less secure device), but I found the lack of filepaths displayed on KeePassXC (+ time pressure) led to confusion
→ there’s a possibility its an entirely different password i made in a different database. Haven’t had time to systematically sort through them.
For general info, I did a test for automatic testing of backup-header.hmac using scrypt. It was doing about 2 seconds per password.
It was a trivial one liner.
I think I expected it to be slower, but it is a big barrier to cracking a fully unknown password.
I did not compare Qubes 4.2 and 4.3. Maybe they are different.