Which Physical vault would be the better option for storing and monitoring the Master Password securely? and how to do that?

Need a solution to secure manage the access to the master password of a password management tool- last pass, that we would soon be rolling out requirment is 2 people in XY country and 2 people in AB Country (for business continuity) will need to participate in the process of accessing the master/ super admin password Which Physical vault would be the better option for storing and monitoring the Master Password securely?

Handling API keys for client-side app with cloud key vault

I would like to hear about the security implications of my desktop app’s current API usage workflow:

  1. Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
  2. Client app retrieves the API key and the key is assigned to a declared runtime object.
  3. Client app uses the key value to make the required GET requests.
  4. Client app closes with Application.Current.Shutdown().

Not well-versed in security myself, but I wondered:

  • Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
  • Can others potentially hack into the client during runtime and access the key?
  • Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?

Keen to hear expert thoughts about the above and other ideas. I can’t think of another way to make the GET request directly from client-side.

Can Microsoft access the contents of my OneDrive Personal Vault?

I found the article to be quite informative that addresses the question "Can Microsoft access my private files?" (Can Microsoft access all private data if a user installs Windows 10?), which includes my OneDrive files, but it didn’t specifically mention the special folder called Personal Vault. Does Microsoft have just as much capability of accessing the contents of my Personal Vault as it does all my other OneDrive files, or is Personal Vault an exception?

How does a shared vault in password managers such as 1Password work?

The password manager 1Password has a feature where multiple accounts in a group ("family") can share login information with each other.

From my understanding, a password manager is never supposed to know my passwords because they are encrypted with my master password before being sent "to the cloud".

How then can I decrypt / see the password that a family member shares with me through the Shared Vault without 1Password decrypting it?

If all passwords are encrypted with my private master password, how can it be possible that another user can decrypt it without me or the password manager knowing the master password of the other person?

Wrap key operation in Azure Key Vault – symmetric keys

Could anyone explain why the bolded part of the wrap key description?

Wraps a symmetric key using a specified key. The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.

AFAIK, all the keys in Azure Key Vault are stored at rest in HSM modules. Why is key wrapping necessary for symmetric keys? What does ‘protection’ mean in this case? Using a public key to encrypt data?

If HSM are securing all the keys in Key Vault (using its built-in symmetric key), then why would encrypting a symmetric key be necessary as quoted?

Azure Key Vault – hardware vs software protection

I was wondering if I correctly understand the difference between hardware and software protected keys.

Quoting the Applied Cryptography in .NET and Azure Key Vault (page 146 available on Google books)

Azure Key Vault Hardware Mode

When you configure Key Vault to work in hardware mode, you get the most benefit from the service because not only are keys stored in the hardware, but all operations such as encryption, decryption, and digital signatures are also performed on the device, which gives you the high level of protection when using Key Vault. The extra level of security that this affords does come at a cost as you need to use a premium service plan, but the additional cost gives you the extra protection that you would want in a production system.

Azure Key Vault Software Mode On the flip side, when you configure Key Vault to work in software mode, your keys are stored on the hardware, but any other operations, such as encryption, decryption, and digital signatures are performed outside of the HSM hardware using standard Azure compute virtual machines. Since there is less work on the HSM, you save money. From a software interface point of view, there is no difference in how you use Key Vault between hardware and software mode; the differences are transparent to a developer. When you are planning your testing and production environments for your software application, it is a good idea to use Key Vault in software mode for your testing environments as you can keep the costs low, and then use the hardware version for your production environment as this gives you the most significant level of protection.

In summary, my secret key is safe with hardware protection as long as the encryption key used to secure my secret key is not read from the HSM (which requires tampering with it and it leaves evidence). My secret key does not leave the HSM which performs all the operations using my secret key on its own. However, the software protection doesn’t have this extra security layer and my secret key is given away to Azure compute virtual machines, and my secret key could therefore be stolen without leaving any physical evidence whatsoever. Is that correct?

Storing the password to a vault in the vault itself?

Is there an additional risk associated with storing the master password to a vault inside the vault itself?

I would assume not, since in order to decrypt the vault you must already have that password. But maybe I’m missing something?

And without reuse concerns, anything that can steal the password from the unlocked vault can also just steal the vault itself, so no additional information is being exposed that way.

As to why, besides academic curiosity, I’ve also noticed that sometimes the web version of the vault does not automatically log me in, even if the native app is unlocked. So adding the vault password would simplify that process.

WordPress Vault

Get access to over 3,500 elements for both WordPress and Shopify.

WORDPRESS VAULT!!

All themes and plugins are 100% safe, clean, and distributed under the GLP license agreement.

We also offer our very own Auto-Updater plugin. Meaning, you won´t need to upload a new file every time a theme or plugin launches an update.

With our auto-update plugin, you connect via API and will be able to update any theme or plugin you have installed on your WP site from our vault….

WordPress Vault

Password Vault Storing Passwords

I’ve been working on just a fun side project in C++ to practice encryption algorithms and I sort of ran into a bit of a roadblock of sorts. To summarize the project I have a text file of encrypted passwords and sites the passwords are for, the user logs in and the encrypted information is stored into a list. Simple enough. The log in works just fine and is as close to using a hash function as I care to try for as small a project as I’d like this to be. My main problem is this :

When I want to show the user their password, I need to decrypt it. How do I pass the key to the decryption algorithm without having it stored in at least RAM? Because I have a encrypted version of the key stored in the text file as well and relies on the hash being correct for the key to be decrypted. But I don’t want the user to enter their information again to get the password after they already logged in. So how should I go about this? Should I save the key once I can decrypt it with the users information? Or should is there some solution that is escaping me? Thanks for any help!