Evaluating “Enpass” password manager (Note to self, sorry)

Why evaluate yet another password manager, when so many exists and what are my requirements for a decent one?

First:

  • My password manager must be locally accessible

Why:

  • I don’t want to input my “Master” password to all my passwords directly on a frontend on the internet (That includes API’s, etc.) Frontends get compromised all the time and with E2E encryption, the actual decryption is on the frontend. That means that I would never trust a SaaS password manager solution. Risk acceptance declined (Accepting the risk!)

Next:

  • My password manager database must be synced across devices (minimum desktop/laptop + phone).

Why:

  • Because syncing is needed if I use more than one device (and most of us do!) and the synchronization is only performed on encrypted file, so no cloud provider can read it in clear text. And yes, my iPhone is in Lockdown mode, always, hopefully helping my device to be more protected than if not.

and finally:

  • My password manager needs a web browser plugin

Why:

  • I might have one database for low-risk passwords accessible via browser-plugin, and another high-risk passwords only in airgapped VM., depending on risk acceptance.

So with that out of the way, let us test Enpass to see what solution is up to par. It actually seems like this password manager is the only one meeting my requirements(?):

Installing Enpass

My taste in installation on Linux is using either the distribution’s own repositories(RedHat) or if you trust the supplier of the software more, their repositories(Enpass). If you fear supply chain attack, you might want to install a package and not update it, if you trust the source code and needs to review it, continuously. For me, the application needs to get updated when I update my other packages using an update app or via dnf update og apt update.

I even prefer updating before official releases, when related to security (Link to Risk analysis on KeePassXC):

Add the repositories, install wget and the application using the instructions on the link above:

The above installation creates the executable in /opt/enpass/Enpass which is so correct it is not always included in path, so might only work when directly addressed or a symlink is created.

https://www.qubes-os.org/doc/app-menu-shortcut-troubleshooting/

Start the app and select “Folder Sync” and select your Dropbox Folder, that is already being synced. If you want your password manager to sync itself, feel free to insert a dropbox account as per below “Dropbox” or any other file syncing service:

Set your master password, press continue and retype:

Confirm your Master password:

Then you get the possibility to install browser extensions, so press the install button, if you trust it to be safe.

This might have implications beyond my knowledge and if you are hit by a 0-day in your browser, the password database might be compromised by a browser plugin, I suspect. So evaluate your risk acceptance again. Remember: you can always copy / paste with clipboard between VM’s anyway(if you are using QubesOS with airgapped Password Manager VM):

And click “Get it” to install the extension:

Click “Continue to installation”:

Click “Add” if you trust Enpass with your browser data:

And your password manager plugin was added. Click Okay.

Then set Enpass as the default password manager or do it yourself. Choose deny or allow to your preference.

A great way to avoid re-using compromised passwords, even if not used by you, but by others, thereby also being used in password spraying attacks, etc. enable the “Check Compromised Passwords”:

Activate it using your email:

And type in the code sent to your email:

Conclusion:

It clicks my 3 boxes, so I might switch from my “KeePassXC / KeePassium” setup to this software if I trust the company over time.

Sometimes you can buy a license with a great discount for the first year. “International Womens Day”, had a 66% discount, so you might wanna wait to purchase at the right time.

high-risk passwords should be in an airgapped database.

low-risk passwords should be installed as shown above in a user-friendly database, syncing all passwords in cloud and avoiding direct master password input at cloud provider.

Enpass is an indian company and my year long experience with Password Manager Pro from ManageEngine, I would not trust the code quality to be top-notch regarding security (issues have been found and I bet there are hundreds more…. Link). But do a quick risk assessment on your setup. Your phone and desktop needs adequate protection. Can’t blame it on Enpass if you have easy access to your phone from evil APT’s. And Enpass might be quality code now…. ;).

Basic Website Security (WordPress + .DK domain)

There is a lot of risks related to a webpage and some of them might be high and others low, but knowing them and addressing them according to your risk acceptance, can be a good idea for both personal and commercial use.

  • Register domain with hidden PII [punktum.dk or hosting provider]
  • Enable MFA via Mit-ID on domain [punktum.dk]
  • Enable MFA at hosting provider admin panel [eg. simply.com]
  • Enforce DMARC, SPF and DKIM on domain to protect email.
  • Enable DNSSEC on domain
  • Disable SSH, etc. if possible or create very long passwords (40+).
  • MFA on CMS login [eg. WordPress site using authy]
  • Remove all plugins not used
  • Remove all themes not used
  • Register WPScan API and scan for known vulnerabilities. [WPScan]
  • Security scan the site on sitecheck.sucuri.net [Sucuri Sitecheck]
  • Install WordFence plugin and register as minimum, the free license [WordFence]
  • Set WordPress plugins and themes to autoupdate
  • Setup continuous website monitoring on shodan.io [Shodan.io]
  • Create your security.txt file [securitytxt.org]
  • Test website configuration and mail [SikkerPåNettet.dk] (Ignore ridiculous IPv6 errors]

The above are the things I came up with, when registering a new personal domain and website. The more important/commercial the website is, consider DDoS protection, WAF, etc. provided by CloudFlare, Imperva or others.

If selfhosting, Install EDR on the servers use CIS Benchmarks and SELinux, rotate DKIM keys, periodically, etc.)

Enjoy !

Font size in qt applications – QubesOS 4.2

When readjusting everything from font size 12 to 10, one type of applications just ignore this. And that is the Qt applications.

So, when starting KeePassXC, font looked quite large compared to everything else, so I had to readjust in the VM used.

example of how it looks before change:

Starting the program to make the changes:

[user@personal ~]$ qt5c

Change the font to 10 and resize your app.

It looks quite the same, when having the same width, but if you compare the font in the title, you can see the difference.

Steam on QubesOS (Debian 12 Bookworm)

Just wanted to play ThreatGen Red vs Blue and figured I’d update my template, so here goes:

In dom0:

sudo qvm-template install debian-12

In Qube Manager clone the debian-12 to a “debian-12-Steam” template and give it plenty of storage and memory:

Initial memory 4000MB
Max Memory 16000MB
System storage max size: 50GB (depending on what games you play)

Install steam in this qubes following the guide here: /https://itslinuxfoss.com/install-steam-debian-12/

Start steam for the first time in the template to finish the install.

Create AppVM Qube with enough memory and disk also:

Then run steam and the background is completely white and you have to move the mouse up in the left corner of the white area and select settings:

Then move down and select “interface” and deselect everything regarding graphics acceleration:

That’s it. Install ThreatGen :

If you want to install the game in the template, don’t install it here, but there 🙂

Enjoy

Huawei MateView on QubesOS

If your display is configured @ 3840 x 2160, then you might not be satisfied with the lack of 1.5 million pixels on the screen or the occasional blinking /blacking of the screen

Go to Dom0 and write:

cvt 3840 2560 30

xrandr –newmode <output after modeline >

xrandr –addmode DP-1 –mode 3840x2560_30.00

xrandr –output DP-1 –mode 3840x2560_30.00

If you are using HDMI-1 instead of DP-1 us that. Check with following command

xrandr <enter>

TryHackMe on QubesOS Kali AppVM

unman has provided templates for Kali-enthusiasts to QubesOS (v. 4.1 only) and you need to enable the repository in /etc/qubes/repo-templates/qubes-templates.repo. The mentioned command using “enable-repo …” mentioned in the forum did not work for me, so I had to edit the 1 directly in the file 🙂

Edit the repo-file:

Install the template:

Then I created an AppVM based on the Kali template and vupti, everything works perfectly.

That is except for reverse shell 🙂

I had an issue with reverse shell’s not working on Qubes Kali AppVM, due to firewall restrictions even though I disabled the firewall following these instructions(Spoiler:NOT working in Qubes AppVM).

I got no SYN-ACK to my SYN’s, and with the firewall “disabled” I tried searching elsewhere for answers. It turned out that disabling the local firewall in Kali is not enough and I am afraid to mess up security by following the guides incorrectly.

To resolve the issue, clean out the firewall rules on the local AppVM (or template VM for persistance):

──(root💀kali-max)-[~]
└─# iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

┌──(root💀kali-max)-[~]
└─# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

┌──(root💀kali-max)-[~]
└─# 

This can be done in a more optimal way opening up only for the specific endpoints/IP-range’s from TryHackMe, but this just gets your reverse shells working right now.

The other, safer way, that works (if there is no inbound firewall on target host), is to change the payload in metasploit from reverse_tcp to bind_tcp with a sample:

set PAYLOAD payload/linux/x86/meterpreter/bind_tcp

Enjoy

Qubes 4.1rc3 on Intel NUC10i7FNK

BXNUCi7FNK2 with 1TB NVMe, 64GB memory and 4K monitor support

I did this once before on Qubes 4.0 with help From Frédéric Pierret, but left Qubes on my NUC for Xubuntu due to too many issues with hardware. Intel NUC is not overly Linux friendly friendly. Microsoft is their primary focus.

Then today(of all days) I snuck an install of the promising Qubes 4.1rc3 on the box, and if started with a single error during final install [Start failed: internal error: Unable to reset PCI device 0000:00:1f.6: no FLR, PM reset or bus reset available, see /var/log/libvirt/libxl/libxl-driver.log for details”:

No networking was available upon startup. Disabling the PCI device in question [00:1f.6 Ethernet Controller….] in sys-net, made booting of sys-net possible and luckily wifi worked out-of-the-box.

Hope the above solution might help others in same situation.

Hardening websites with .htaccess

Always use latest php available from your hosting provider:

AddType application/x-httpd-php-latest .php

Using mod_rewrite:

<IfModule mod_rewrite.c>

RewriteEngine On

#Redirect HTTP to HTTPS:
RewriteCond %{HTTPS} off

RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}

#Disable compression:

RewriteRule ^(.)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]

</IfModule>

Strict HSTS, CSP, XSFR headers:

<IfModule mod_headers.c>

Header set Content-Security-Policy "upgrade-insecure-requests"

Header set Referrer-Policy "strict-origin-when-cross-origin"

Header set Strict-Transport-Security "max-age=15811200"

Header set X-Frame-Options "DENY"

</IfModule>