I’ve been thinking about how to securely backup my Passpack account recently, encouraged by my recent post on the lack of security in security questions.
Passpack offers 3 useful options which can help with making secure backups:
- Passpack Desktop – an Adobe Air desktop application that downloads and saves all your passwords locally. Needs ‘synced’ to maintain accuracy.
- Backup – this creates a backup of all your passwords in a .pp format which can only be restored in either Passpack website or Passpack Desktop.
- Export – the most open/flexible of the methods. Export all your passwords to a csv/html table.
Issues with these methods:
- Passpack Desktop is a local application so if my computer was stolen or it stopped working at the same time as the web version went down, then I lose my data. It works offline so should be safe, but if the company that developed it became compromised, there could be issues with using it.
- Similarly, the Passpack backup can only be used by Passpack Desktop and the online version. If Passpack is compromised or goes bust, then I could lose the ability to make use of that backup.
- Lastly, exporting my sensitive data to a spreadsheet is definitely useful, but that spreadsheet needs to be protected, otherwise someone who gains access to my computer could easily copy all my data.
Steps I’ve Taken
After issues accessing Passpack on the office computers this morning, I installed Passpack Desktop on all of them, and on my own PC. Now we all have an offline version in case of connection problems.
That’s probably sufficient for employees who only have shared passwords in their account – all the actual records reside in the master account which has over 350 passwords in it.
I felt an additional step was required which was free from any ties to Passpack – I wanted to backup the raw data. So now the question becomes, how can you securely protect a file on your desktop computer?
My first idea was to use some Windows based password/encryption method – however, there isn’t one.
Next, I started looking at 3rd party software to achieve the same task. I looked at archiving the file in a password protected .7z or .zip file using 7zip, however, it appears that it’s fairly trivial to crack them.
Therefore, I felt that I was being directed towards encryption software of some sort. I’ve recently used TrueCrypt to encrypt my laptop hard drive (and will probably do the same with my desktop shortly). However, I wasn’t comfortable simply having the file on an encrypted drive, as I would want it backed up.
To combat this, I created an encrypted volume and placed the exported csv file into that volume. While the volume is mounted it can be read by anyone accessing my computer, but when it’s not, it’s pretty secure. I can then backup this volume to Dropbox and sync it amongst my PCs – enabling it to be decrypted on any computer with TrueCrypt installed.
FYI if you are following these steps, it makes sense to create the TrueCrypt volume first and then download and save the csv to it so that it only ever touches your HD within the TrueCrypt volume. IE if you save it to your desktop then move it into the encrypted volume, then you will need to securely delete it and overwrite the free space on your drive to ensure that it’s completely unrecoverable from the drive.
Unfortunately, this whole process means that there is 1 more password I’m going to have to remember, bringing the sum total to 4. Passpack password and packing key, laptop pre-boot disk decryption password and finally password backup decryption password. 5 by the time I encrypt my desktop computer.
PGP is the common standard for encrypting individual files in the method you described. TrueCrypt doesn’t really make sense for a single file. You have to choose the size of your container in advance, have to mount the entire container for a single file, and so on. While PGP allows you to take one file, encrypt it, and then have an encrypted file. There’s an open source version on windows called Gpg4win.
Thanks for the info – a file encryption tool is probably a better option than something to create a volume.
Just checked out Gpg4win and it’s a 100MB install! TrueCrypt is less than 8% of that and uses about 12MB of RAM. Also, if you use TrueCrypt to encrypt your HD then there is a logic in using that to mount a volume to save running an extra program. It can also be run without installing which makes it easy to use on temporary PCs.
Create a small truecrypt volume on a thumbdrive and copy your pp file into that. you can also copy the CSV version to that same volume. Lastly , put the truecrypt program itself (unencrypted) onto the thumbdrive. Now you have a portable solution. You can open the truecrypt volume on any computer with truecrypt installed PLUS you have the program available on your thumbdrive anyway.