Strongbox on your Apple Watch

NB: You can also use your Apple Watch to unlock Strongbox on your Mac. The Strongbox Apple Watch app is not required for this, and this article only describes the Strongbox Apple Watch app.

Introduction

You can store your database entries on your Apple Watch. This is convenient for when you need a credential, note or 2FA Code and you've forgotten or not been able to take your phone with you. While we don't recommend using your Apple Watch as the primary interface for Strongbox, it is a super handy read-only backup and you never know when it might save your day.  Our Apple Watch integration is a Pro feature and we hope you'll find it both beautiful and useful in your day to day tasks.

How do I install Strongbox on my Apple Watch?

Sometimes, depending on your settings, the Strongbox Apple Watch app will be automatically installed on your Watch. You can check this by scrolling through the Apps on your watch and looking for the familiar Strongbox icon. If you don't see it, you might need to manually install the Watch app. To do that:

1. On your iPhone, open the Watch app
2. Scroll down to the Available Apps section
3. Tap 'Install' on the Strongbox app and wait for it to complete

How do I add or remove an entry?

To add or remove an entry to or from your Apple Watch:

1. First, make sure that the Strongbox watch app is installed on your Watch (see above).
2. Open Strongbox on your iPhone
3. Unlock your database.
4. Navigate to the entry you would like to add to your watch (do not enter the details view).
5. Long tap on your entry to display the context menu.
6. Tap 'Add to Apple Watch' or 'Remove from Apple Watch' as appropriate.

Note that, only the entries that you explicitly add to your watch will be transferred and available there. Your entire database is not transferred. We recommend keeping the number of items you transfer to your watch small to improve performance as phone/watch communication bandwidth is limited.

NB: If you do not see these options, it means Strongbox has not been able to detect that the Strongbox app is installed, paired and reachable on your Apple Watch. Check that Strongbox is installed and running and that your iPhone is paired properly with your Apple Watch.

Alternative Procedure for KeePass 2 (KDBX) Users

If your database is stored in this format (which is our default), you can take advantage of the "Apple Watch" tag which manages which entries are stored on your watch. Simply add or remove this "Apple Watch" tag to or from your entries as an alternative to the procedure above.

How do I sync with my Watch?

Strongbox tries to keep your watch in sync whenever a change is made to your database, but it can't always communicate with your watch. Usually, the next time the App is launched or activated on your watch the sync will occur automatically. If you would like to be explicit about the sync, you can force a sync with the watch using the following steps:

1. Unlock your database on your iPhone.
2. Tap the 'More' button in the top right corner (circular button with 3 dots).
3. Tap 'Sync Apple Watch Now' and follow on-screen instructions.

This will guide you through the sync process and give you an indication about whether it was able to successfully queue the updates to the watch or not. Once queued, the next time Strongbox is active on the watch these updates will be dequeued and processed.

NB: If you do not see the 'Sync Apple Watch Now' option, it means Strongbox has not been able to detect that the Strongbox app is installed, paired and reachable on your Apple Watch. Check that Strongbox is installed and running and that your iPhone is paired properly with your Apple Watch.

How are my entries secured, stored and accessed?

Your entries are stored on your Apple Watch protected by the Secure Enclave. This is an extremely secure form of protection but differs from that provided by the Password Safe PWSafe or KeePass KDBX file formats. Your entries are not stored in a KeePass or Password Safe file on your device, and do not require a master password, key file or hardware key to unlock. They only require your watch to be unlocked. To read more about the security of your Apple Watch and communications channel between your iPhone and your watch, we recommend Apple's documentation here, but we will briefly describe some of the more salient aspects below.

Passcode Requirement

We use a special configuration (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly) of the Secure Enclave to enhance security. This setting means:

• Your Apple Watch must have a passcode set.
• Your Apple Watch must be unlocked for Strongbox to access your entries.
• Only the Strongbox watch app can access your entries.
• If you disable your passcode your entries and all Strongbox watch settings will be deleted.
• Your entries are only stored on your paired watch and cannot be transferred or extracted to any other device.
• Your entries are not exported, transferred or backed up to iCloud.

Phone/Watch Communications Channel

The phone/watch communications channel is securely encrypted. This is done initially when you first pair your phone and watch. You may recall that you held your phone's camera up to a complex pattern during this process. This process is called "out-of-band pairing" and leads to a cryptographic key exchange. This means that the bidirectional communications channel between your phone and watch is fully encrypted.  Strongbox uses this communications channel to sync with your watch.

Tips for Staying Secure

• Turn on wrist detection. This means that if you take your watch off your watch will lock, protecting your Strongbox secrets.
• Don’t share your Apple Watch passcode. Your passcode is the only protection guarding your watch entries.
• Be discerning in what you store on your watch. 2FA Codes and simple PIN numbers are super convenient, but it might be prudent to skip your higher value secrets. Remember your watch secrets are only protected by your passcode.
• Never jailbreak your Apple device. Jailbroken devices are not secure. Someone with direct physical access to your jailbroken device could in principle access Strongbox secrets stored there.
• Consider disabling "Unlock with iPhone". This feature unlocks your watch if you unlock you iPhone nearby. Is it possible that someone could wait for this scenario while wearing your watch?

Limitations

The communications channel between your Apple Watch is limited and somewhat low bandwidth, so we have placed some limitations on your entries to improve performance. There is a limit of 100 items per database that can be stored on your Watch. If an entry is too large to fit onto your watch in a single message, Strongbox will attempt to reduce its size by removing things like the custom icon, custom fields, alternative URLs and notes. The emphasis will always be on providing the title, username, password and 2FA Code fields. Other fields are considered less important in this space constrained environment.

Can I use the Apple Watch integration on my Mac or iPad?

No, Apple limits pairing with your Apple Watch to your iPhone. It is not possible to sync your Apple Watch with your Mac or iPad. One thing to note however is that Strongbox uses KeePass tags where possible to track entries designed to be sent to your watch. If your database is stored in the KeePass 2 format (file extension KDBX), then you can add or remove the "Apple Watch" tag from entries. This will have the effect of adding or removing those entries to or from your Watch the next time your database is unlocked on a paired iPhone.