Episode: 4123
Title: HPR4123: KeepassXC Update
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4123/hpr4123.mp3
Transcribed: 2025-10-25 19:53:30

---

This is hacker public radio episode 4123 for Wednesday the 22nd of May 2024.
Today's show is entitled, He Pass XC Update.
It is hosted by some guy on the internet and is about 19 minutes long.
It carries an explicit flag.
The summary is, Scotty talks about the key pass XC 278 release.
Hello and welcome to another episode of hacker public radio, I'm your host, some guy on
the internet.
Let's talk about the key pass XC 2.7.8 release.
Now since the 2.7.7 release, key pass XC has included key pass implementations.
Now here in the 2.7.8 release, we now have pass key improvements, such as you can update
an existing pass key or add one to an existing entry.
That's one of the features I knew I wanted, but I never got around to asking them, thankfully
someone went there and asked for it.
They've also included more specification standards.
I'm assuming that's from the, was it the 5.0 standards and it made some various UI improvements.
Now they've also included in the pass key improvement section here on the release page, and
this is at the key pass XC dot org website.
They've added.
Show a warning prior to exporting pass keys.
Now for me, this isn't an improvement like that one showing the warning prior to exporting
a pass key.
That should be under the security tab, right?
Here in the release page, they don't have a security tab on there or a security header.
So you know, like when you're doing mark down, you can do your headers H1 through, I don't
know, 5 or whatever, it looks like they got a couple of header, 3s on the page and pass key
improvements is one of them.
At the very top, I would have my very first header would be security and that show a warning
prior to exporting pass key.
That will be up there in the security header.
That's just a note for the, if anyone from the keep pass XC team is listening, you know,
that's one of the things I'd implement, not that you have to, but you know, I figured
since you went through all the work of getting that wonderful audit that you guys released
from the was the 2.7.5 release, letting everyone know that this code is delicious also, you
know, you might want to, might want to just keep that theme going like, you know, what separates
keep pass XC from all of the competition out there.
I just have a massive flag that has the word security written on it and that's be waving
it to non stop, you know, not to say that any other of the options available aside from
keep pass XC are not safe.
But when you look at keep pass XC, you just need to just wave that flag heavily, let
everybody, security baby, security, just a thought and also another one I'd include
in there.
If you scroll down the page, you'll see a quality of life improvements header beneath
that you see SSH agent, don't autoload key that are in recycling bin.
Yeah, that's another one that's going to go right up in the security panel.
I imagine if you're getting rid of a key, you get what I'm saying, that key is either
a compromise or is just expired and you're getting rid of it because as a part of a security
practice, you're rotating keys.
So if this is automatically loading up a key, that hopefully you had already gotten rid
of on the other side, right, like we're just going to pretend like best practices are
always followed.
You know, hopefully on the other side, there's nothing to respond to that key.
It will no longer load up and do anything, right?
We will not connect so that that's another one right under the massive flag of some guy
on the internet just waving it like mad, those two options will definitely be on there in
the security header or beneath the security header.
Check the show notes for the links.
We're moving over to their GitHub page now for the change log for the 2.7.8 release.
Now here they have a lot of wonderful and these are like quality of life improvements
that I'm seeing right here, more hot keys that they're adding in.
So for instance, group switching, I'm very appreciative.
Anytime a developer decides to implement different more hot keys, I use my system with
a lot of hot keys.
I know that if you're a laptop user, you might enjoy using gestures and things like that
with the trackpad or whatever, that's another one of those human interface, nice cities.
So hot keys are for desktop users, those of us without a trackpad and even if I had one
I still love my hot keys.
Another wonderful change listed down below, they've improved the Bitwarden 1PWax imports.
So if you're exporting from Bitwarden into like a JSON format or whatever CSV or whatever
they allow you to export as and then you're importing into key pass XC, it's going to be
a little bit better.
I did this a while back before all of these changes, I think all like 2.7.2 or something
like that is when I did it.
It was not the best, like even today, like this was a while ago when I did this, even
today I am still comparing my Bitwarden and key pass XC, like I have to unlock both votes
and do comparisons to certain entries because it did not go, it was not ideal.
So I'm not going to sit here and make it sound like it was terrible, but yes, improvements
are welcomed in this area as well.
Here's another one that I wanted to talk to you guys about.
Do you guys use UP keys with your key pass XC?
Do you secure your database using the UP key?
I use a key file on Linux, you can get the module to do UP keys, hardware keys I'll say.
I have not done it because it's a bit finicky and I, you know, the last thing I want to
do is implement that on my database and then down the line something goes wrong and
now I can't get in and I don't know if it allows me to register multiple UP keys because
you know, you don't want to just register one UP key on there.
You want to register your backup key as well.
At least with the key file, I can have that backed up onto multiple encrypted thumb drives.
So if anything were to happen to one drive, it dies over time or whatever or like a
bozo move that I did the other day, I have something magnetic.
I think it's my mouse that has a magnetic plate on the bottom and it was just resting
on one of my thumb drives because I use multiple mouse's.
I have a gaming mouse and a vertical mouse, but I'm not going to go into the details about
that anymore.
But as I shift one mouse out of the way, I did not realize it was resting on top of one
of my USB keys.
So you get what I mean, something could happen.
Yeah, if you use UP keys, let me know how it works.
It did work out well for you.
How did you install it?
That'd be a great idea for a show, by the way.
How did you install yours?
Do you use the snap, which I think the snap supposed to automatically come with?
UP key support bundled in.
Maybe I'm wrong about that.
Here in the change log, they brought up support for the NFC.
I think NFC is the near field communication, which certain UP keys come with.
So I don't know how that works.
Maybe that's on a, I don't know.
I guess your laptop or device would have to have that built in.
I'm thinking of phones are mostly going to use that kind of thing.
So maybe if you're on Android device, because I don't know if Kepast XC is even on Apple,
but what else?
Give us your thoughts if you use this technology like UP keys, hardware keys, and the NFC
near field communication features with with your Kepast XC database.
Now another one for the security tab, which is for a Windows release for the Windows release
of Kepast XC, they improve the DACL memory access protection.
Again, imagine me, I don't know what that move is called, where you hold your arm out
and kind of curl it over to show the muscle there.
I don't know what that's called.
They have these different names for the different flexing thing.
I'll probably have to go search.
We are back.
Let me go and do a duck, duck, go looking for this.
All right.
The closest pose I found, they call body building poses.
The closest one I found was called the front double biceps, but what I'm thinking about
is me waving the security flag in the left hand with doing the bicep curl or whatever with
the right arm.
All right.
So let's go down here to the fixes.
In the fix section, they said they fixed the issue with the hardware keys not being auto
detected.
That's one of the things that I discovered when I'm on Windows.
I have a main database and then whenever I want to use certain credentials on an insecure
OS like Windows, I would export those credentials to a separate database, you know, a smaller one
only containing those credentials and then use that exported database or those exported
credentials in this new database on the insecure system.
So I generate an additional key file as well.
So I'm not using my, because again, my USB drives are encrypted with looks.
So Windows is not going to be managing those.
So I have to have a separate drive to do everything in Windows, but I digress.
I attempted to use my GUB keys to test out this feature on Windows, because I'm thinking
it's prepackaged in Windows like I don't have to go out and grab additional modules and
everything.
It should just work in Windows and it did not under the 2.7.7 release.
So I'm eager to try this out with the 2.7.8 release to see if the UBK actually works there
on Windows and then I will secure that database on Windows using the UBK, just so that I can
test it.
I'll keep it back up because I want to see if I can use multiple UBKs stored in the key
file or whatever, however it stores the UBK, I want to see if it stores multiple.
And I hate using UBKs, I'll never mind, I'm not going to do it while I'll test it, but
I'm not going to switch to the method, because Windows makes you do like a pen to unlock
your UBK, it is like no, I understand that's supposed to be, that's like that security
theater thing, right?
Like it's supposed to be more secure, but not really, like come on, all right, next another
item.
The app image fix for URL opening, again, if you're like me, you use a lot of hot keys,
you do the hot key to open up a URL, I noticed in 2.7.7, it was not open up.
Opening up the URL, so I'd have to copy it to the clipboard, then, you know, I'm using
pop OS, so I tie it over to the browser and just paste in the thing.
I figured it was a bug, and I'm glad to see now that I didn't go check out the issue
tracker.
I just guessed it was bug, you know, and here's another one that I did not notice.
The Linux underwailing, it did not clear the clipboard, so you know how you can set up.
I have mine set for 10 seconds, but, you know, set your timer up to clear your clipboard
whenever you copy your credentials to the clipboard, and I'll talk to you guys in another
show about why I'm moving away from using the clipboard as a temporary, like I don't
know what do you call it, like a handoff of credentials where you copy your credentials
to the clipboard and paste them into the field.
I'm stepping away from that because it's insecure on other platforms, especially mobile
devices, where all these other apps have access and are logging your clipboard entries.
So yeah, I've had to change a few credentials now to make them more, you know, where I
could memorize them.
And basically, I look at the credential, memorize it really quickly, you know, obviously
hide the credential again, and then go over to the application, for instance, I use
hoopla from my audio books from the public library.
From time to time, it'll just log you out of the app.
I don't know why, but again, memorize the credentials going there and just thumb it in versus
copying into clipboard just because it's too insecure.
It, the clipboard on most OSs are just too insecure.
So I'm moving away from that and we can talk more about that in the future.
I'll probably dedicate a short of that.
I didn't know that Whalen had an issue where it didn't clear the clipboard.
So that's great that they found that and fixed it.
Finally, I, you guys should have saw it in my bash aliases that I loaded up in there.
I have a ZZ command in my, like I always have a terminal open.
And once a credential has been copied to the clipboard, I am, you know, I'm using the
tiling features.
So I immediately bounce over to the terminal once it's in the field, like on the website,
once I enter that credential in the field, I bounce over to the terminal and clear the
clipboard before going back to the website to hit enter to now enter the credentials.
Like I'm just a little paranoid about credentials being in the clipboard.
This is before I learned about all the issues with the OSs, like these applications that
are logging your clipboard.
So that's, that's another one of those justified paranoia moments that make you go, yes.
All right.
So that's it for the release notes.
I just want to talk to you about on a GitHub page, they have the keyboard shortcut listing.
I included that down in the show notes, a link to the keyboard shortcuts on their GitHub
page.
They have not included the new keyboard shortcuts for the group switching and whatever else
that was added.
That's something I really have to create a GitHub account so that I can contribute by adding
these kind of things in.
I imagine that's just something they're going to get around to or if, you know, some lazy
bum like myself could just show up and and add it in there, you know, maybe they'd appreciate
that.
Now you guys know me, I got to introduce you to a little bit of the rabbit hole.
So while going through the show notes here and looking at the keyboard shortcuts and
things, I immediately started wondering, are there any sort of standards for keyboard shortcuts
or hotkeys?
And you know, is there some sort of physics compliance way of doing hotkeys?
And basically I found a bunch of human interface guide notes out there for the different OSs
or or in the Linux case, it would be the DEs.
So I have some links down below and one of them that I enjoy the most would be the, um,
the Apple Apple global menu human interface guidelines.
I think the Apple menu or global menu is the most gorgeous global menu I've ever seen.
It just makes so much sense.
I mean, you already have your panel up there.
Why not populate it with the options that you're going to need rather than having it just
empty all the time and, you know, that way you can make your window smaller, especially
like if you're on a laptop or whatever, you can actually have more real estate now.
So you know, global menu just makes sense.
You know, Linux, if you like me, you've probably tried to, you know, use different DEs with
global menu attachments that one of the common ones out there is probably discontinued or
deprecated now.
The, uh, it was called a VALA menu or whatever or the many broken and GNOME extensions that
are out there.
I got to tell you, I like GNOME and what they're doing as far as making sure that their
developers are not overworked by adding in all of this bunch of features that they have
to now, you know, maintain forever that they allow users who want these features to kind
of create their own and implement them.
I think that's fantastic.
However, that system does get a little annoying.
Now move on over to plasma.
I remember when I first learned that plasma allows you to get a global menu, like it's
just baked into plasma.
So I thought, okay, fine, I'll just go ahead and try plasma.
This is like years ago when I did this super easy, super simple.
You get, you get your global menu and off you go.
Now I immediately fell in love with it.
It was beautiful, wonderful.
And then I closed the window and then the menu just emptied.
So I have some links down in there showing you the, uh, the Apple guidelines, how their,
their menus always populated if you've never used a, uh, a Mac.
So I immediately thought, you know, the K, the KDE menu, global menu, I thought it was
broken because it just emptied when the window was gone, right?
And another problem today, if you're using electron apps, especially, they don't comply
with the, the global menu or whatever, the standards.
So the menu stays in the application, it does go to the global menu, which is infuriating.
Yeah.
So that's, that's one of those things that, uh, I understand more of why people like, uh,
keeping certain apps in the ecosystems, I can't think of what the name is now.
Um, it's, it's a term for it.
I can't think about it now.
Um, elementary OS is one of the de's that are attempting to do this by, you know, asking
developers to create custom apps, you know, rebranding their app or whatever for elementary
OS.
And I think apples were doing this for years, but now it's, it's, you know, not as strict
over there.
So you're getting a lot of these web apps that don't comply, maybe even a few years
Apple no longer even use the global menu, which means I'll, there will absolutely be no
reason to use an Apple PC at that point, because the only reason I would use one is just
so I can sit next to you and show you my global menu, but I would never actually use the
damn thing outside of that, right?
Like I, I dislike everything else about the Apple PC except for the global menu.
But if I could just copy that menu over to, you know, say GNOME or KDE or whatever, for
you just have a decent global menu over here in Lennox, great, just abandon the rest of
the OS, just keep the global menu.
But yeah, I went rabbit, rabbit holding down the human interface guidelines, finding out
all these cool, unique things that, you know, I didn't actually know that they have names
and terms and, and guidelines for.
So I thought it was, this is really cool.
I think I'll spend some more time reading up on that, but back to the whole KDE thing,
when I first learned that there are menu empties, after you close your windows, I just got
rid of KDE at that point, I was like, this is broken, not even usable anymore, just trash
it, forget about it, you know, I did it like I did XFCE at the time, I took them out
back at a woodshad and they went the way of old Yeller, for those of you who don't know
about that reference, there's a movie called Old Yeller, I'll, I'll leave some links.
Alright, that's enough rabbit holding, I think you guys got the picture, I gotta, I gotta
take you down the rabbit hole for at least a couple of minutes, right?
You can't just get the information you can for an, and leave, you've got to go on the
mindless rant that I like to take you on.
So I hope you guys enjoyed the show, if you use KPI60, do a show, let us know what are
your thoughts, do you like it, do you dislike it, how do you like to use it?
Hardware keys, you know, hand, hand, wink, wink.
And I'll catch you guys in the next episode, take it easy.
You have been listening to Hacker Public Radio, at Hacker Public Radio does work.
Today's show was contributed by a HBR listening like yourself, if you ever thought of recording
podcast, and click on our contribute link to find out how easy it really is.
HBR has been kindly provided by an honesthost.com, the internet archive, and our sings.net.
On the Sadois status, today's show is released under Creative Commons, Attribution, 4.0 International
License.