Kryptel Password Manager might look as another one of those numerous password managers, but there is one important difference – it is secure. What does this mean?
- It keeps your passwords and keys in an encrypted container.
- Keys are supplied via encrypted communication channel and are impossible to intercept.
- It transfers derived key material only; it never allows original passwords and keys outside. Even if the attacker somehow manages to get the key, other files encrypted with the same key will remain safe.
- Stored passwords can be used but can’t be viewed or copied. No one will be able to take a quick peep into your password database when you are out to get some coffee.
Password Manager requires Kryptel 8 or Silver Key 5 encryption engines. Secure key transfer is not available for files created with earlier versions. The only key material that Password Manager can provide to a legacy encryptor is insecure text password (see below for a discussion on text passwords).
Creating a Password Database
At the first run Password Manager will display a message saying that there is no password database and will offer to create a new one. Press OK and enter password or key for your database. Choose your password carefully – the password that protects all your passwords most certainly must be a good one.
As soon as the database is available, the Password Manager’s main window will appear with a tab for every key type:
- Selecting File / Exit quits Password Manager, finalizing all changes made to the database.
- Selecting File / Discard quits Password Manager and discards all database changes. This is the only way to undo mistakes like deleting something you’d rather keep.
- Pressing the cross in the top right corner hides the Password Manager window. Password Manager will sit in the background popping up only when necessary (this is the normal mode of operation). You can also restore Password Manager’s window by clicking its icon in the system tray (where the system clock is).
When Kryptel needs an encryption key, it activates the Password Manager. Just double-click (or drag-and-drop, or copy-and-paste) the password or the key that you wish to use. On decryption Kryptel asks for the key only if the Password Manager has not been able to supply it.
Adding New Keys
Don't forget to backup your password database as soon as any change is made.
Adding a Simple Key
Open the tab for the type of the key you want to add (that is, open Passwords if you want to add a password) and select Edit / Add.
Enter the password (or specify a binary key, or specify a Yubikey log file).
The last mandatory step is specifying the key name. Don’t enter the actual password; this name is supposed to be a brief description like Password for weekly backups or Key for company files.
Adding a Complex Key
Open the Composites or the Groups tab and select Edit / Add. In the key lists select at least two component keys (click while holding the Ctrl key to select several items) and enter the key name.
Note that the component keys are removed from the corresponding key lists after the complex key is created. If you want to use the same subkey also individually, add it twice to the password database (under different names as duplicate names are not allowed).
You can limit the functionality of a specific key by assigning the following access rights.
- C (Create) – The key can be used for creation of a new container.
- M (Modify) – The key can be used to modify an existing container.
- D (Decrypt) – The key can be used to view the contents of an existing container and to decrypt the files it contains.
The right to decrypt
A container must always be decryptable. If none of the used keys allows decryption, the program modifies the key rights as follows:
- If the container is encrypted with a single key, the Decrypt right will be added.
- If the container is encrypted with a group of keys, and none of the keys has the Decrypt right, the program will add this right to all the keys in the group.
- If there is an active master key, the access rights will not be changed. Master key allows decryption by definition, so the condition at least one key must be able to decrypt is always satisfied.
Key access rights are stored in the container header when the container is created and cannot be changed afterwards. For example, if a container is created with a password that has C-D (Create and Decrypt) rights, that password will not be able to modify the container even if you add the Modify right later.
It is interesting to note that a key with no rights assigned is still perfectly valid. While it cannot be used on its own, it can be a part of a composite key. Composite keys have their own rights; the rights of individual components are ignored.
Any simple or composite key stored in Password Manager may be declared as a master key. When Password Manager provides an encryption key, it also adds all the master keys. It is important to note that master keys are added if and only if the encryption key was provided by Password Manager. If the key was entered by the user (i.e. the user typed the password or inserted the key), then the master keys will not added. Master keys are never added without user knowledge.
Although in some situations quiet inclusion of master keys might be preferable, such a feature could be exploited to insert a backdoor.
Master key is considered a special kind of key and has the following limitations:
- Master key allows read access only.
- During decryption master key is never applied automatically. A master key cannot be copied or dragged to the password window. In order to open a container with a master key the user must type it (or insert the key media).
In short, master key is an emergency tool not intended for everyday use.
A password may be declared as a text (insecure) one. If this box is checked, then the password can be dragged or pasted as a text string into third-party applications (and so can easily be viewed by pasting it into any text editor). Use this option if you want to use Password Manager as a common (even if a rather simple) password manager. This option is active on password creation only (otherwise it would be easy to steal the password by temporarily checking this box).
Copying the Password Database
In order to backup the password database use File / Backup command (or just copy its file using Windows Explorer). The database is an ordinary Windows file named Passwords.edb.
- The desktop version keeps its password database file at Documents\Kryptel Data\ folder.
- The portable version keeps its password database file on its base drive at \Kryptel\Password Data\ folder.
In order to use your desktop database on a USB drive just select File / Backup and choose <your portable drive>:\Kryptel\Password Data\ as the destination folder.