Passwords app – what happens if I don't enable end-to-end encryption?

I recently installed the Passwords app on my Nextcloud and then imported some passwords from a CSV using these instructions:

Then I followed these instructions to enable end-to-end encryption (which required creating a database password):

So, in the ~30 seconds between doing those things, does this mean that my passwords were stored in plaintext on the server that hosts my Nextcloud instance? Have I pwned myself?

(I.e., if someone had physical access to my server’s hard drive during those 30 seconds and were able to decrypt the drive itself, would they have my passwords in plaintext?)

Unsure, but you were storing your passwords in plain text CSV format.
So, that is plain text wherever it is stored.

For clarification, simply ask that developer directly on the repo you’ve linked…

Probably.

Depends on who’s server we’re talking about. If it’s yours, then it may not be a big deal. If it’s a provider’s, then who knows.

A safer alternative would be to store a keepass db in your Nextcloud and just use the program on your computer. That way decrypted data is never handled on the server end.

Huh, OK. I’ve changed my passwords just in case.

I was storing them in an encrypted file, but the Passwords app can only import from CSV (and a few other formats), so I had to make a CSV locally (on my computer, whose HD is encrypted in order to import them—is there a way around this?

Also, if you click the “help” forum on the Passwords app website, it directs you here.

Yep, I decided to use this approach after all. The upside of the Nextcloud Passwords app is that you can access it directly from your browser. So if you are on a public computer and need to retrieve one password, you can just log into your Nextcloud and get it.

I’m not sure if this is still around, but there used to be a keepass app for Nextcloud that could open a keepass file. But… I decided I wasn’t sure if I’m comfortable with that, and I use the auto-type feature a lot anyway, so I just use keepass.

If I find myself needing a password, I just accept that it’ll have to wait until I’m home on my laptop. I don’t access my passwords from any other device, and I would never access my passwords from a computer that wasn’t mine for any reason.

I guess the specific scenario would be something like this: You’ve just landed in a foreign country and your phone and laptop battery is dead, but you need to access your Airbnb account to check the reservation information. You go to a public library and boot a live Linux environment from a USB drive and log into your Nextcloud to retrieve your Airbnb password, log into Airbnb, and get what you need.

(By using the live USB, you make yourself “relatively safe” from any software keylogger etc. that might have been installed on the library computer, although I concede that you are still vulnerable to a hardware keylogger etc.)

If you use the Nextcloud passwords app, you can grab your password directly from the web interface, whereas if you have a Keepass DB saved as a file blob in your Nextcloud instance, you have to download this DB, then sudo apt install keepass2, then open it—so it adds a few steps. (Or you could use a Linux distro that has a .kbdx utility built in.)

If it’s something I think I’m going to need while I’m out, I reluctantly entrust it to my iCloud keychain so I can get it on my phone. But I only keep a small subset of my passwords there.

That’s a lot of trouble to go to when airports have public power outlets.

1 Like

Point taken. But if you are really confident that you will only access password-protected services from your own devices, why use a password at all when you could use SSH key login instead (for services like Github that offer it)? This would be a lot more secure. Or maybe that’s what you do anyway?

Nah, it is so much simpler than this.

  • save keepass db to your mobile
  • Access from a client side keepass app.

It is that easy. Doesn’t matter if you use Nextcloud or not. Doesn’t need internet.

If unsure, all you do is distribute keepass into multiple databases. Then save in multiple locations or multiple sync services or whatever. Or pre-save to usb along with portable keepass apps.

Worth considering. Here is the keeweb app also:

I am ignorant to the passwords app.

There’s some misinformation coming in here;

First of all, end-to-end encryption has nothing to do with the “passwords” plugin. Nothing WHATSOEVER. You can have it enabled, or you can have it disabled, and it has zero impact or relevance.

End-to-end encryption is for FILE STORAGE, and it basically means that there is not enough data available on the server in order to be able to decrypt files.

Nextcloud passwords, on the other hand, stores information in the system DATABASE, not in a file on the filesystem. Look in your database and find tables "{prefix}_passwords_*" – that’s where your passwords data is being stored.

Now if you look in that database, what you will see is that the passwords stored are… encrypted. And this will be the case whether you have end-to-end encryption enabled OR NOT. Doesn’t matter, because the passwords application does its own thing to secure your passwords.

For more details, read the documentation; nextcloud / passwords · GitLab

Thank you—this addresses my question. The linked documentation says that

Passwords offers a safe server side encryption using Nextclouds integrated encryption functionality. Each password is encrypted with it’s own unique key.

To clarify, there are several things in the Nextcloud+Nextcloud Passwords ecosystem that involve encryption:

  1. There is an app called End to End Encryption that encrypts every file in your Nextcloud on the client side: GitHub - nextcloud/end_to_end_encryption: Server API to support End-to-End Encryption

  2. There is a built-in (disabled by default) Default Encryption Module which you can use to encrypt files on the server side: Encrypting your Nextcloud files on the server — Nextcloud latest User Manual latest documentation

  3. And there is a setting within the Passwords app to enable encrypting its database with a custom passkey, which (presumably) offers harder protection than the default encryption quoted above. Enable End to End Encryption · Wiki · nextcloud / passwords · GitLab

Let’s call these options e1, e2, and e3. In my case, I had neither e1 nor e2 enabled, and then enabled e3.

So here are some follow-up questions:

  1. You mentioned,

End-to-end encryption is for FILE STORAGE, and it basically means that there is not enough data available on the server in order to be able to decrypt files.

I assume you are referring to e2 here, right?

  1. When the Passwords app says it uses NC’s “integrated encryption functionality,” I assume this is referring to e2, right? But how is Passwords able to use e2 if I haven’t enabled e2 in my apps pane?

  2. (When e3 is disabled,) what actual key is Passwords used to encrypt the passwords, given that I haven’t entered one? If Passwords is able to construct this key without any input from me, then couldn’t an attacker do the same?

  3. When I enable option e3, the encryption option in the Passwords app, is Passwords then using its own functionality to encrypt my files, or is my request passed through to e2 (the integrated encryption functionality) and Passwords is just serving as an interface to choose a different encryption key?

1 Like

When e3 is not enabled, The Passwords app uses your Nextcloud login to enable access to your password database entries.

When e3 is enabled, you will need to enter the e3 passkey every time you open the Passwords app, separate to your Nextcloud login, in order to be able to locally decrypt your passwords (separate to the encryption applied to each password in the database).

There are also browser plugins and mobile apps that use Nextcloud Passwords to auto-fill passwords.

Right, but how is this access secured? Are the passwords encrypted, and if so, what key does it use? The Passwords App has no way of knowing my Nextcloud login password, so I don’t understand how it can encrypt the passwords other than by using some information that already lives in my Nextcloud.

Well, yes, it obviously uses something in your Nextcloud account, or it wouldn’t work as a Cloud application. If you can’t trust the database admins running your Nextcloud, then the Passwords app may not meet your security requirements without the e3 option. Using the e3 encryption adds a layer of encryption that is not stored in your account.