Security & Privacy
-
You can communicate via PGP at our support email address (support@strongboxsafe.com). Our Public Key is below: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGJWsooBEAD1olH1ckumg3FVQMXSq/KbF8+sGhc1EhPSvTk2VcdC8KnX VF5MoltZXCbHSUh1nHaZ0FxY8JRHr6NeNS4DEk/8eFypZZJxXz+dN2vO4BIh dsJQnRn6JvKQQT69ea78...
-
https://github.com/mmcguill/StrongBox
-
Recommended Encryption Settings
We recommend a KeePass (KDBX4.x) format database. This allows a configurable Key Derivation Function. For your KDF, we recommend Argon2d or Argon2id, both are nice GPU resistant KDFs. You should set the memory to around 32MB. Higher memory settings (especially anything above 64MB) will cause i... -
What Type of Cryptography Does Strongbox Use?
Strongbox implements many cryptography algorithms. For KeePass based files, Strongbox uses AES, TwoFish, Argon2D, ChaCha20 and Salsa20 along with SHA256 for digests and HMACs. For Password Safe based files use TwoFish in CBC Mode, SHA256 and RFC2104 HMAC. This is all put together following the ... -
What Network Connections Can Strongbox Make?
The following are the possible network connections that Strongbox can make which may be seen if you monitor network traffic while using the features described below. Apple App Store (Mandatory) Strongbox makes requests to Apple for two reasons. In App Purchase pricing and purchase/restore transa... -
Can I Trust That Strongbox Is Not Stealing My Passwords?
The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries (e.g. libcrypto, libssl, libssh, libsodium, argon2 libraries, etc) that Strongbox uses. Further, do you trust the m... -
Has Strongbox Ever Been Audited?
There are a number of different types of Audit that come to mind here. We have a yearly CASA2 audit (see below), and have considered an SOC2 certification. Read on to learn more. CASA 2 Strongbox performs a yearly CASA Tier 2 level audit as a requirement for integration with a certain third par... -
Please note: you need a Strongbox Pro membership in order to use the duress PIN feature. Instructions Unlock your database Tap Database Settings (the icon with three sliders in the top left of the screen) Tap Touch/Face ID & PIN Codes Tap Configure PIN Codes Tap Turn Convenience PIN On Now ...
-
How Does the Chrome/Firefox Extension Work? Is It Secure?
Introduction Strongbox integrates through an AutoFill extension for Firefox and Chromium browsers. Safari uses a different system-level mechanism. You may have noticed this on your browser plugin or add-on store. This provides a super convenient way to fill in your credentials inline in your bro... -
How Does Strongbox Perform Against RAM Dumps or Memory/Debugging Attacks?
The threat of someone being able to access the memory of a running instance of a program is a notoriously difficult one to protect against. This is particularly acute for password managers which, at the end of the day, are also just programs too. This is one of the reasons platforms (e.g. iOS, Ma... -
How Secure Is Face ID / Touch ID?
While Touch/Face ID is very convenient, it is not a perfect system for protecting your passwords. It is provided for convenience only. It is within the realm of possibilities that someone with access to your device and your fingerprint or photo, can produce a good enough fake to fool Apple’s syst... -
Strongbox often needs to store sensitive/confidential user secrets to offer useful features like convenience unlock, SFTP or WebDAV connections. What are these secrets, confidential or secure items? Master Passwords (required if you use Face ID, Touch ID, PIN Code or Apple Watch Unlock) SFTP Cr...
-
What Personal Data Is Shared Between Cloud Providers (e.g. Google Drive) and Strongbox?
This is up to the cloud provider and how they define the interaction of third party apps with their storage API. In brief this is likely to include your email address or account username, the name of the third party app (in this case Strongbox) and probably data like the current date/time and IP ... -
Is Apple’s Password AutoFill More Secure Than Using Plugins or the Clipboard?
We believe using the built in Password AutoFill subsystem is a very secure way to fill your passwords. Of course, as with everything the devil is in the details. In principle, Apple's Password AutoFill is absolutely a better model, a system fully designed for the transmission of sensitive creden... -
Configuration Issue: Convenience Unlock and Quick Launch with Device Passcode Fallback
With a certain sequence of settings enabled, you can make your database more vulnerable to attack. The Strongbox app attempts to warn you about this, so that you can take a suitable action or at least be aware of the issue. This occurs if the the following options are enabled: Face/Touch ID Unl... -
Choosing Argon2 or Argon2id As Your Key Derivation Function (KDF)
It's pretty marginal either way on this. Some say Argon2id offers better defence against side channel/timing attacks, others that this is irrelevant in a client side app situation. We don't take a strong stance, both are solid and we support both. You can read more of the original KeePass devel... -
Strongbox Zero is a stripped down, local Database only version of Strongbox designed for privacy conscious individuals who do not want or need some of the networking/remote storage features of Strongbox, and who are confident in their ability to manage local databases, backups and exports. Strong...
-
Strongbox Zero vs. Strongbox Pro
Strongbox Zero is a stripped down, local Database only version of Strongbox designed for privacy conscious individuals who do not want or need some of the networking/remote storage features of Strongbox, and who are confident in their ability to manage local databases, backups and exports. Strong... -
Add or Export Databases From Strongbox Zero
Since Strongbox Zero does not have any built-in networking code, you might ask how do I get my databases into Zero. There are various options outlined below. Importing You can use the following methods to Add/Import your database: iTunes / Apple File Sharing - connect your device to your Mac/P... -
Change the Auto Clear Clipboard Duration
If you have Auto Clear Clipboard enabled, when you copy text from Strongbox this will be cleared from your device's clipboard after a set period of time. This feature protects your sensitive information. To enable or disable this feature and to change the duration, follow the instructions below.... -
What is the "Concealed Clipboard" Advanced Setting?
The Concealed Clipboard feature stops data that you copy from the Strongbox app from being recorded by clipboard manager apps, like Maccy and Paste. When Concealed Clipboard is enabled, Strongbox tells clipboard apps that what it has copied to the clipboard is sensitive and should be concealed, ... -
Why Does Strongbox Request Permissions to My Photo Library?
This comes up from time to time with some security/privacy conscious users and is something we had to investigate to figure out. Long Story short: Strongbox doesn't have access to your Photo Library but it can receive a read-only snapshot of a user selected photo entirely by iOS Design with no s... -
CVE-2023-24055 Vulnerability Update
Security researchers have recently discovered a vulnerability in the Windows KeePass app that could allow attackers to obtain stored passwords in cleartext. The bug has been dubbed CVE-2023-24055. The Strongbox app is not affected by this vulnerability. Which means that if you use Strongbox to w... -
CVE-2023-32784 Vulnerability Update
Security researchers have recently discovered a vulnerability in the Windows KeePass app that could allow an attacker to recover the cleartext master password from a memory dump. The bug has been dubbed CVE-2023-32784. The Strongbox app is not affected by this vulnerability. Which means that if ... -
Where are Strongbox local backups stored on my Mac?
Strongbox can (and by default does) create backups of your databases everytime a change is made. These are rolling backups so Strongbox keeps the last 10 (configurable) versions of your database just in case. These are stored on your Mac here: ~/Library/Group Containers/group.strongbox.mac.mcgu... -
How do I securely transfer my key file to my iOS device without using the cloud?
Transferring your key file securely to your iOS device and keeping it safely offline is a three step process: Getting the key file onto the iOS device Using Strongbox to properly "Import" the key file Cleaning Up Step 1. Getting the Key File on Device There are at least 3 methods you can use t... -
Where does Strongbox store its local working copy/cache (for offline access)?
Strongbox's offline/working copy (or cache) is stored under: /sync-manager/local The [1] is something that Apple provides to Apps and isn't something that can be viewed by ordinary users on iOS, but it is visible on macOS. The API that provides this directory is: containerURL(forSecurityAppli... -
Why is Strongbox Listed Under "Apps using iCloud"
In the Settings app on iOS and iPadOS, under your Apple ID > iCloud > Apps using iCloud, you might see Strongbox listed and turned on. If this switch is on, it doesn't necessarily mean anything is transferred to iCloud. However: if a user chooses + > Get Started Wizard > New Databas...