Tl; dr
I’d like to compartmentalize my Bitwarden password manager vault with a “split-bitwarden” setup. The Bitwarden browser extension, however, does not communicate with a local version of the vault and thus cannot access a split vault in the traditional, socket-based “Split-<service>” method.
Instead of relying on software in a Client VM to send requests to a Vault VM, what if the user initiated requests to the vault from dom0 (or even from the Vault VM) and the requested vault data was put into the Client VM’s clipboard (using e.g. qvm-run-vm
)? At this point the user could hit Ctrl-V
to paste the data (this could even be automated with xdotool
).
Motivation:
- I use the Bitwarden password manager and want to stop using the Bitwarden browser extension to access my vault (to avoid typing in master password and to reduce browser fingerprint).
- When I need login information in an environment without the browser extension, such as Tor Browser, I have to manually copy the data from the vault into that VM, which is cumbersome.
Proposal:
Create a “Split-Bitwarden” password manager system which compartmentalizes the Bitwarden vault into a Vault VM and gives Client VMs limited access to the vault.
Unlike gpg
or keepassxc
, the Bitwarden browser extension does not seem to communicate with any local vault, which means directing the extension’s requests through a socket to a vault in the Vault VM is not possible (AFAIK). Thus, short of creating an extension which could communicate with a split vault, some other method of access is needed.
dom0 will send a request to the Vault VM with, at a minimum, the name of a password manager, the name of the Client VM, an account identifier for the data being requested (e.g. name of account entry in the vault), and the type of data being requested (e.g. username, password, totp). The Vault VM will query the password manager for the piece of data from the specified account identifier. The Vault VM will then run a command like qvm-run-vm <ClientVM> "echo <password> | xclip -sel clipboard"
, which puts that password in the clipboard of the Client VM. The user then pastes the password at their convenience.
Benefits:
- This setup would be extensible to any password manager accessible via the shell or via an API (including but not limited to Bitwarden,
pass
, and KeepassXC). - Could provide fine-grained access control over which pieces of vault data can be sent to which Client VMs (using a user-written configuration file).
- It would eliminate the possibility of a compromised Client VM exploiting “a hypothetical bug in the GPG backend” and gaining control of the vault (see split-gpg docs).
- Eliminates reliance on socket-based split-password manager systems, which are harder to implement, install, and (possibly) maintain.
Drawbacks:
- Users have to initiate requests, although this can easily be done with keybindings and interactive menus like
dmenu
. (Of course, normal e.g. KeepassXC users still have to “initiate” their requests by manually interacting with the vault). - Results in vault data being stored in the clipboard of a potentially compromised Client VM, which may (?) be less secure than sending that password through a socket over
qrexec
.
Does this sound like a useful project? Are there other drawbacks, particularly security drawbacks, which I am not considering?
I’m halfway done with a proof-of-concept and will continue developing it if there appear to be no major downsides or oversights.