You may want to look at this thread for ideas:
I very much agree with those who are warning against using a clipboard to copy passwords between qubes. That seems like a really bad idea.
@yann (and others)⌠how are you setting up a single isolated KeepassXC backend to secure multiple VM browsers without using the clipboard to populate browser login fields?
@necker, I did not take the time yet to do any better than copying, I was waiting with hope for @arkenoiâs results, I must say.
One way to do automated logins from passwords stored in the vault VM is to collect browser password files, each containing a single login, in vault. When you need to login, have a script in vault start a dispvm, then populate the browser profile in the dispvm with the appropriate password file, then launch the browser in that dispvm.
For example, firefox credentials are stored in $profile/logins.json and $profile/key4.db. Assuming they contain the login for mywebsite.com and are tar-ed to mywebsite.com.tar, then the following, when run from vault, will open a browser in a dispvm (based on debian-11-dvm) containing just that login, ready to auto-fill:
qvm-run-vm \$dispvm:debian-11-dvm \
'profile=/home/user/.mozilla/firefox/*.default
( cd "$profile" || exit 1; tar -x )
firefox mywebsite.com >/dev/null
' < mywebsite.com.tar
How to collect the credential files inside vault? One way (that doesnât involve copying external data into the vault VM) is: start an offline firefox in vault with a fresh browser profile, go to about:logins, manually enter a single login, shutdown firefox, tar the generated credential files in $profile, and then delete $profile. Repeat for each login.
Something like the above is great for a few high-security but often-visited sites.
3 Likes
@airelemental Thatâs not a bad idea. Though I am now realizing that I have relatively few high security accounts (email, encrypted storage, etc). I could create a separate dispVM for each account with a unique installation of KeepassXC that only stores a single login credential in the database. I could also create unique firewalls for each VM that limit traffic those services. As long as I donât use the browser to access other sites and services, the VM is disposable and there are no other passwords stored in the local database, that should give me the security I want.
1 Like
If you go the one VM per account way, then maybe using KeepassXC in the same VM does not add much security: if the VM gets compromised, âtheyâ just have to install a keylogger to gain access to your keepass db. That does not seem to be much better than âsave password in browserâ - which may be fine for some cases, but does not match my perception of âhigh security accountâ.
@airelementalâs solution is interesting - with the usual caveat with non-encrypted sensible material, that backups will need to be protected strongly enough.