KeePassXC on Qubes

Until 1Password takes the Linux community seriously, KeepassXC is the preferred choice for me.

1Password offer a cloud based solution with only chrome-integration, almost like KeePassXC has for Firefox, Chrome, Vivaldi and Chromium, but Chrome wont be my preferred choice just yet. And also since Cloud solutions has a broader attack vector, there is no need to put the crown jewels on display, when sensitive hacks are almost happening daily on the internet.

If I get a trojan on my active computer, or buy a chinese keyboard, AND have my password database in the cloud, they can login and download it and harvest all my precious passwords without effort and without any fancy cracking efforts. Therefore if you enjoy cloud services, you might consider to use 2FA to access the cloud (and hope your 2nd factor device is not pwned too 😉 Remember that SMS might be in clear text through airwaves that anybody might listen to.

Keeping an offline password manager is what I feel comfortable with, so that is what my current needs are.

And here, KeePassXC seems to be the best multiplatform solution around. And an important thing to remember is that if you have an offline password manager(or password manager installed in an “air-gapped” VM in Qubes, the risks of breaches are smaller even with bugs in the Password Manager software, since nothing directly enters a VM without network connection. So you need bugs in the underlying OS to get breached. Not impossible, but more rare in hypervisors with an offline vault than a traditional OS without.

Air-gapped VMs are also used as Split-GPG and Bitcoin wallets, so I guess its a bit more secure. Enhance your setup with a copy of your database on a PIN-enabled secure USB and sync it to your vault VM regularly.

P.S. Yubikey supports KeePassXC, but not as traditional 2FA

In Fedora 27 and later a newer and better version of KeePassXC is available. Remember to enable recommended security settings:

sudo yum install keepassxc

– Database settings – encryption – Argon2.

– General – Basic settings – Automatically save after every change.

If you use Qubes, you can have the password manager in the “vault” VM and ctrl-c, ctrl-shift-c in the vaultVM and ctrl-shift-v and ctrl-v in the destination VM to feel safer. You can also have a secure password file in vault and a less secure in another vm with internet access.

If safety is not the biggest issue for you and you use multiple computers, then install firefox addon, dropbox and sync selectively :

In Firefox addon:

yum install dropbox.rpm (otherwise dependencies are left out)

Point your KeePassXC to the synced folder .kdbx file.

Enable 2factor authentication to dropbox to prevent ease of access for bad people.

Configuring Cisco ASA VPN on Qubes 4.0 with openconnect

I have rewritten my VPN guide for Qubes 4.0, since my old post from 3.2, didn’t work out of the box and some supposed solutions on the web, didn’t sit well with me. The above link was too much hassle for me, so I chose to investigate how I can make a guide like the last one, just for Qubes 4.0.

Here it is, although the changes are few:

Create your vpn appVM, based on your preferred fedora template:

Add the ‘network-manager’  as a service :

Tur on the AppVM, and when the network icon appears, add the vpn connection:

Select the OpenConnect type:

Insert FQDN in the gateway section and save.

Start the VPN connection:

Type yur password and the connection will be established and your icon look like this:

Issue connecting automatically to hidden wifi in Qubes 3.2

Qubes 3.2, installed new wifi router, created hidden wifi and connected to the network. Everything works, until I reboot and log in.

When logging in, my network is offline and I can’t select my hidden network:

When clicking the network icon, disabling the network and reenabling it, gives me my options so I can select my hidden network, and the connection comes online:

When enabling SSID broadcast, everything works perfectly again, disabling SSID recreates the problem.

Here are the logs from when logging in with visible wifi (sys-net’s guest-sys-net-log):

With hidden wifi:

disabling, reenabling hidden wifi:

The not so great solution provided, was enable SSID broadcast. Problem fixed but solution not preferred 🙂