Security & Privacy
-
Do you have use PGP or what is your PGP Public Key so I can contact you securely
Yes, we can and do communicate via PGP at our support email address (support@strongboxsafe.com) Our Public Key is below: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGJWsooBEAD1olH1ckumg3FVQMXSq/KbF8+sGhc1EhPSvTk2VcdC8KnX VF5MoltZXCbHSUh1nHaZ0FxY8JRHr6NeNS4DEk/8eFypZZJxXz+dN2vO4BIh dsJQnRn6Jv... -
Has Strongbox ever been audited?
No, Strongbox has not received any independent audits. We would certainly like to have an audit done and are looking at options. Strongbox is a small independent startup company at the moment and we don't have the resources to hire an independent audit firm for this. We are open to any and all su... -
How can I trust that Strongbox is not sending my passwords elsewhere or stealing them?
The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries (e.g. libcrypto, libssl, libssh, libsodium, argon2 libraries, etc) that Strongbox uses. There is no another way for... -
How does Strongbox perform against RAM Dumps or Memory/Debugging Attacks?
The threat of someone being able to access the memory of a running instance of a program is a notoriously difficult one to protect against. This is particularly acute for password managers which, at the end of the day, are also just programs too. This is one of the reasons platforms (e.g. iOS, Ma... -
Strongbox often needs to store sensitive/confidential user secrets to offer useful features like convenience unlock, SFTP or WebDAV connections. What are these secrets, confidential or secure items? Master Passwords (required if you use Face ID, Touch ID, PIN Code or Apple Watch Unlock) SFTP Cr...
-
How does the Chrome/Firefox Extension work? Is it secure?
Introduction Strongbox integrates through an AutoFill extension for Firefox and Chromium browsers. Safari uses a different system-level mechanism. You may have noticed this on your browser plugin or add-on store. This provides a super convenient way to fill in your credentials inline in your bro... -
How do I select a good master password?
A vital and important question. There are varying opinions on this, but one of the best guides around can be found here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ The weak link in the security chain with Strongbox is always going to be the master passwor... -
How secure is FaceID / TouchID?
While Touch/Face ID is very convenient, it is not a perfect system for protecting your passwords. It is provided for convenience only. It is within the realm of possibilities that someone with access to your device and your fingerprint or photo, can produce a good enough fake to fool Apple’s syst... -
How to do I import/add or export databases from Strongbox Zero?
Since Strongbox Zero does not have any built in networking code, you might ask how do I get my databases into Zero? Importing You can use the following methods to Add/Import your database: iTunes / Apple File Sharing - Connect your device to your Mac/PC and use File Sharing to transfer over USB... -
There is a possible set of settings/configurations that is possible if you are using Face ID for App Lock and also for your Quick Launch Database Unlock. Strongbox attempts to warn you about this if this scenario occurs so that you can take a suitable action or at least be aware of the issue. If...
-
Is Apple's Password AutoFill more secure than using plugins or the clipboard?
We believe using the built in Password AutoFill subsystem is the most secure way to fill your passwords, and should become the de facto method for all browsers, apps and password managers in the future. Of course, as with everything the devil is in the details. In principle, Password AutoFill is... -
Should I choose Argon2 or Argon2id as my Key Derivation Function (KDF)
It's pretty marginal either way on this. Some say Argon2id offers better defenses against side channel/timing attacks, others that this is irrelevant in a client side app situation. We don't take a strong stance, both are solid and we support both. You can read more of the original KeePass deve... -
What information is shared with Cloud Providers (e.g. Google Drive) by Strongbox?
This is up to the cloud provider and how they define the interaction of third party apps with their storage API. In brief this is likely to include your email address or account username, the name of the third party app (in this case Strongbox) and probably data like the current date/time and IP ... -
What is Strongbox's approach to the App Store App Privacy section?
Apple introduced the App Privacy section to the App Store in 2020 to give users a better idea of the privacy implications of using an App. This is to be applauded. However, it really places a burden on us developers. Strongbox is built by an Indie developer, a small (lovely!) team who love to wor... -
Strongbox Zero is a stripped down, local Database only version of Strongbox designed for privacy conscious individuals who do not want or need some of the networking/remote storage features of Strongbox, and who are confident in their ability to manage local databases, backups and exports. Strong...
-
What is the difference between Strongbox Pro and Strongbox Zero?
Strongbox Zero is a stripped down, local Database only version of Strongbox designed for privacy conscious individuals who do not want or need some of the networking/remote storage features of Strongbox, and who are confident in their ability to manage local databases, backups and exports. Strong... -
What particular Encryption Settings do you recommend I use to protect my database?
We recommend a KeePass (KDBX4.x) format database. This allows a configurable Key Derivation Function. For your KDF, we recommend Argon2d or Argon2id, both are nice GPU resistant KDFs. You should set the memory to around 32MB. Higher memory settings (especially anything above 64MB) will cause i... -
What possible network connections can Strongbox make?
The following are the possible network connections that Strongbox can make which may be seen if you monitor network traffic while using the features described below. Apple App Store (Mandatory) Strongbox makes requests to Apple for two reasons. In App Purchase pricing and purchase/restore transa... -
What type of cryptography does Strongbox use?
Strongbox implements many cryptography algorithms. For Password Safe based files use TwoFish in CBC Mode, SHA256 and RFC2104 HMAC. This is all put together following the Password Safe design which you can learn more about here: https://en.wikipedia.org/wiki/Password_Safe For KeePass based files... -
Where Can I Find the Source Code for Strongbox?
Online at Github. Click here. -
Why doesn't Strongbox request permissions to my Photo Library?
This comes up from time to time with some security/privacy conscious users and is something we had to investigate to figure out. Long Story short: Strongbox doesn't have access to your Photo Library but it can receive a read-only snapshot of a user selected photo entirely by iOS Design with no s...