I wish to use highly secure, long, random, generated passphrases.
My assumptions (obstacles):
KeepassXC cannot be used within dom0, so generating and storing the passphrases this way is not possible
Copy and pasting these from an AppVM is also not possible, given that you cannot copy and paste into dom0
I am aware of these options but do not find them sufficiently secure:
saving and storing the passphrase in plaintext in dom0, which is obviously a horrible idea.
passing the passphrase into dom0 at the command line, inside of a text file, leaving a large attack surface for the passphrase to later be found by an attacker. in addition to being extremely tedious.
manually typing the passphrase in each time, necessitating a much shorter, more human readable passphrase, with high risk of errors and permanent data loss the more complex the passphrase gets. also very tedious for long, complex passphrases.
@MysticDreamer I recommend manually typing the password, the only thing that can fail then is your memory. This type of password can be just as strong as randomly generated if you just follow best practices and memorize it.
Other than that if you donât wanna type it each time maybe consider something like this? https://apricorn.com/ , you could unlock and mount it and there you have password in plain text. Use it for all my ssh keys personally.
This assumes that the password you are talking about is some sort of master password. If not then use keepass to store all of them.
Passphrases like this, or even more secure than this, can be created in seconds with software, unique passphrases for each backup. With perfect reliability.
No human can even come close to that through memorization.
Other than that if you donât wanna type it each time maybe consider something like this? https://apricorn.com/ , you could unlock and mount it and there you have password in plain text. Use it for all my ssh keys personally.
What youâre implying is that you can mount a USB drive to dom0. I was not aware you could do that, and I just tried it and do not see that option.
A quick Google search turns up a bunch of the usual hemming and hawwing on this forum where people warn the OP not to do it and I donât immediatley see any instructions for how to do it or if itâs even possible.
No not mount in dom0, never. Just mount in qube and paste to dom0, this is still not recommended and you can hurt the integrity of dom0.
And the password just as secure Iâm referring to no one would be able to crack it. You are putting unreasonable standards when you only allow randomly generated passwords. You add to much complexity that in the end will hurt your opsec. Like I said best password is long special chars and have no meaning to you whatsoever (or anyone else tbh) BUT you can remember it.
Update: Just do some reading online and you will find out that a good password is technically uncrackable.
Update: Just do some reading online and you will find out that a good password is technically uncrackable.
Just do some reading online and youâll discover that you have no idea who the other person is on the other side of your internet connection, what they know or do not know, and what they have already read - or indeed, written at length for others.
In summary: I stand by every letter of every word I previously stated.
Pasting is only possible from dom0 to an AppVM, not the other way around. I would encourage you to read the link you just shared, as it appears you havenât. Or you didnât understand it.
I also addressed this option in the OP.
passing the passphrase into dom0 at the command line, inside of a text file, leaving a large attack surface for the passphrase to later be found by an attacker. in addition to being extremely tedious.
Yes, that passes a text file. As per my previous comment, I addressed this in the OP:
passing the passphrase into dom0 at the command line, inside of a text file, leaving a large attack surface for the passphrase to later be found by an attacker. in addition to being extremely tedious.
Yes, but it answers your question on how to copy to dom0. With your comment yes its an issue, but since the start the way you lay this up opens up many attack surfaces. So same same, compromises your opsec either way.
That is not what I meant by copying, I meant copy/pasting.
That is what I would call transferring a file.
It appears this is a simple miscommunication over the definitions of common computing concepts. That or someone just doesnât want to be wrong on the internet.
Just wanna add a pointer that clipboard (copy/pasting) is not more secure then a file. And copy can be a file and clipboard, that term works for both. You copy a file, you copy to clipboard. And will mention once again the most secure way is still memorizing a password and input using keyboard. That has the least attack surface.
This will be my final entry in this thread, not going anywhere, just like talking to chatgpt
And again, making false assumptions about what I do and do not already know.
I do not need you to teach me anything dude, particularly since youâve made it clear you havenât the slightest idea what the fuck you are talking about.
A text file has a wide attack surface. There are about 17 ways a hacker could see the contents of that, no matter how hard you tried to delete it. A clipboard has an attack surface, but itâs not the size of the Atlantic Ocean.
Passphrases generated with them are designed to be easier to remember with sufficient memory training, so you do not need to insecurely store them into text files.