kdbx 3 database is very slow to open #6778
Comments
|
Not sure what to do here. |
@droidmonkey YOU NEED A PERFORMANCE PROFILE!!!!! Open a lite 120KB file on SSD use 4 seconds, is TOO SLOW.....
|
|
The database size is nothing to do with how long it takes to open the database. That is mostly up to how many rounds you choose for your KDF. Try saving it with a different profile. |
This does not explain why other programs (MacPass、Keepass) do not have such a large delay. |
|
Do you have this delay when using the regular gui or just in the cli? |
the gui mode use 2 seconds to unlock the database, see the movie file below Screen_Recording.mov |
|
Can you confirm your KDF settings please? Do you have any unique features in your database? Excessive references to other entries or a huge amount of custom icons? How many entries total are in the database? |
|
|
Using KeePassXC only, can you export the database to csv then import that into a new database? I want to remove the macpass aspect to see if the issue started with them. See if the unlock time remains. To see the KDF settings go to Database -> Database Security, then choose the encryption tab. You might have to select the advanced checkbox in the lower left corner as well. |
|
use the Screen.Recording.2021-07-29.at.18.24.20.mov |
the |
|
You need to be on the security tab. Those settings are only relevant to the macpass created database. |
|
KDF settings |
|
I figured it was a kdbx 3 database (old standard). I'm surprised macpass can unlock that so fast with 13 million rounds on the kdf. Makes you wonder... If you click the one second benchmark button what number does keepassxc give you? Sorry for all the questions trying to narrow where the problem is and potential major security flaw in macpass. It could also be that macpass is caching the transformed key in the macos key store, which is also a security issue without explicit prompting to the user. |
8~9 million
|
|
Makes sense. Ok well that is "interesting" we aren't going to pursue this any further. Seems like it's a default KDF difference with macpass and they must be caching the transformed key somewhere to get a near instant unlock speed. Was it "slow" to unlock the first time? |
For a kdbx 3 database:
I'm not sure why there is such a big difference from the benchmark value |
|
The benchmark is calculated very strangely in v2.6.6 and below. We updated that calculation in v2.7.0 with our move to Botan crypto library. |
|
Understand, thank you for your patience, I will update the title to make the information clearer and close this issue. Solved by upgrading the database KDF to kdbx 4 |
atttx123
changed the title
|
900 rounds of Argon2 at 1MiB? Please use something more sensible that actually consumes some memory. With a bit more than that, 900 rounds should take forever. |
I don’t know the details of this algorithm, but I tested the default value kpassxc give, and its speed is a bit slow
|
|
Just half the rounds to get to 1 sec. Leave the memory and threads alone |
|
|
|
The slowdown is expected and a feature that enhances the security of your password file. In fact, the only reason why we use a KDF is to slow things down so an attacker cannot guess billions of different master passwords per second. What decryption time is acceptable to you depends on your personal security profile. |
|
😂 |
|
No idea what it is that you want to tell me. |
|
I understand why delay is needed for security reasons, and this can't be changed. But I have three ideas which might nevertheless help.
1. Delay before PasswordAre we just talking about delay after entering the password, or also about delay before entering the password? I recognized, that even before entering the password there's also a 1-2 second delay on a modern CPU (Ryzen 3500U). I'll call this phase "database selection" to distinguish it from "database decryption". As far as I understand encryption, "rounds" apply after entering the password, not before. But maybe this is some encryption/decryption detail I don't fully understand.
2. UI informing the UserMaybe something can be done to make this less irritating for the users. The first thing which comes to my mind is a progress bar. Before the password dialog, as well as after the password dialog when decrypting.
3. Opening multiple DatabasesAn additional problem is, that these times add up if multiple databases are being used. KeePassXC-2.6.2 seems to be set to I also use the AutoOpen feature to open the other 3 databases from the first one. So also for selecting / decrypting multiple databases a nice progress bar would help. Additionally it would help if the tabs for all databases open instantly at KeePassXC startup (before entering the password). And the password field is just being disabled until whatever is being done in background (most favorably in another thread) has completed. This would make the UI behave more calm, than if one database opens up after another with some delay in between each. Also the user could already use the UI and do something else like selecting a completely different database. (selecting => open database, not yet decrypting) |
|
There is no delay on our side before opening the database, but Linux file pickers seem to take a while to load sometimes (which is an issue with the file picker). Maybe that's what you are experiencing. |
|
@phoerious Reproduced on Debian-11 and openSUSE-15.4. |
Overview
keepassxc-cliuse 4 seconds to open a 120KB databaseExpected Behavior
MacPasson the same machine open database less than 2 secondsKeePassXC - 2.6.6
Revision: 386b79a
Operating system: macOS 11.4
CPU architecture: x86_64
Kernel: darwin 20.5.0
Qt 5.15.2
Debugging mode is disabled.
Enabled extensions:
Cryptographic libraries:
The text was updated successfully, but these errors were encountered: