I rely on Bitwarden (slooowly migrating from… a spreadsheet…) and am thinking of keeping a master backup to be SyncThing-synchronized across all my devices, but I’m not sure of how to secure the SyncThing-synchronized files’ local access if any one of my Windows or Android units got stolen and somehow cracked into or something. I’m curious about how others handle theirs. Thanks in advance for sharing!

  • zarenki@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    For years I’ve been using KeepassXC on desktop and Keepass2Android on mobile. Rather than sync the kdbx file between my devices, I have each device access it through the network. Either via sftp, smb, or nfs, but regardless I need to connect to my home’s VPN to access it when away from home since I don’t directly expose those things to the outside world.

    I used to also keep a second copy of the website-tied passwords in Firefox Sync, but recently tried migrating that to Proton Pass because I thought the PIN feature might help, then ultimately decided to move away from that too and start using the KeepassXC-Browser plugin instead. I considered Bitwarden too but haven’t tried it out yet, was somewhat deterred by seeing people say its UI seems very outdated.

    • Dymonika@beehaw.orgOP
      link
      fedilink
      arrow-up
      1
      ·
      7 days ago

      It didn’t look outdated to me, but is kind of weird and hard to get used to, though I eventually did. I don’t know how to make an export from Bitwarden to take into KeePassXC, though… I’ll need to look into this. Perhaps it can’t be done from the browser alone. Anyway, thanks for sharing.

      • Daniel BP@fosstodon.org
        link
        fedilink
        arrow-up
        1
        ·
        7 days ago

        @Dymonika @zarenki

        If you only have login names and passwords you can export to JSON and then import to KDBX using KeePass (works best) or KeePassXC.

        If you have attachments (key files, certificates, etc…) then you will learn Bitwarden is not that open as it advertises. You will need specific scripts to move your data…

      • not_amm@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Syncing files that you may open in both (or more) devices at the same time is unsafe with any service, but you can manage to avoid sync conflicts with KeePass if you do not open the same file at the same time or open the Android app in read-only mode. I’ve only had like 3-4 conflict files this year and they weren’t important.

  • d3Xt3r@lemmy.nz
    link
    fedilink
    arrow-up
    0
    ·
    7 months ago

    if any one of my Windows or Android units got stolen and somehow cracked into or something.

    This shouldn’t be a concern if you’re using disk encryption and secure passwords, which is generally the default behaviour on most systems these days.

    On Android, you don’t need to worry about anything as long as you’ve got a pin/password configured, as disk encryption has been enabled by default for like a decade now.

    On Windows, if you’re on the Pro/Enterprise edition, you can use Bitlocker, but if you’re on Home, you can use “device encryption” (which is like a lightweight Bitlocker) - but that requires a TPM chip and your Windows user account linked to a Microsoft account. If that is not an option, you could use VeraCrypt instead, which is an opensource disk encryption tool. Another option, if you’re on a laptop, could be Opal encryption (aka TCG Opal SED), assuming your drive/BIOS supports it.

    TL;DR: Encrypt yo’ shit, and you don’t need to worry about your data if your device gets stolen.

    • bloodfart@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      do not do anything in this post until you have backups that you know run and work.

      device encryption is fantastic.

      • Dymonika@beehaw.orgOP
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        I’m mortified to say I could certainly do more in this regard. Do you recommend a preferred method?

        • bloodfart@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          7 months ago

          What matters is that the backups are done at the appropriate intervals and verified to be readable.

          You can figure out what interval is appropriate. Some people have to make sure every picture is saved, some people are fine losing a month of stuff.

          Verifying the backup is valid equally important. You don’t wanna find out it was misconfigured and didn’t get your user directories when you try to restore. Just open one up and look to see every once in a while.

          At least fifteen years ago you could set up windows backups through the control panel > backup or something menu. Now on 10 it’s settings > updates and security > backups.

          You can click add drive from there and designate a usb or something as your backup drive.

          Then set an alarm to make sure you remember to do it at the designated interval.

          With android the easiest thing is to sync it to a computer that gets backed up.

          You can use cloud services instead of a hard drive too, but often simple and easy to understand is the best place to start.

          Do you know why it’s important to have backups before using full disc encryption?

          • Dymonika@beehaw.orgOP
            link
            fedilink
            arrow-up
            1
            ·
            7 months ago

            Right, I can imagine that I could lock myself out otherwise. Thanks for the walkthrough!

            • bloodfart@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              The lockout I see most often isn’t from people forgetting a password or key, but from motherboard failure with a key stored in the motherboards tpm or cpu.

    • fine_sandy_bottom@discuss.tchncs.de
      link
      fedilink
      arrow-up
      0
      ·
      7 months ago

      This is the way OP. Centralised services are just too much a target for bad actors.

      You already have syncthing so most of the way there.

      Also built in TOTP / 2fa is pretty great.

      • shiftymccool@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        7 months ago

        Also built in TOTP / 2fa is pretty great.

        I can’t wrap my head around how this is a good idea. Isn’t the idea of mfa to protect against password theft? If your second factor is stored with your password, how does that help anything? Honest question, I see this everywhere but can’t figure out why it’s acceptable with security-minded folks

        • Kayana@ttrpg.network
          link
          fedilink
          arrow-up
          2
          ·
          7 months ago

          Late reply, but for me personally, I started doing it because my Keepass database is already accessed using two factors (password and key file). Therefore, I’d gain very little by keeping the second factor of those sites external - essentially, those second factors are compounded into the second factor for the database.