Hardware-Based Password Manager



  • I'm trying to improve my password management, and I have a vision in mind for a solution. However, I'm having a problem putting it all together or finding a product(s) that fits.

    First I would like to find out if my overall specification/strategy is workable?

    Baseline (non-negotiable) requirements:

    1. A password manager with an encrypted (AES-256 or better) local-only password database/vault. No cloud storage: so services like LastPass etc. are not going to work for me. (Password manager in the sense that all account passwords are accessible from a single master password)
    2. Installable / integrated onto a hardware-encrypted USB-3 thumb drive, preferably one of those with a numerical keypad on the side of the thumb drive that unlocks the drive before inserting into a USB port. The password manager software runs directly from the thumb drive (Windows minimum, but Windows + Android preferred) without any software installation required onto the host system.
    3. Ability to backup the password database/vault (in case the encrypted thumb drive gets lost or stolen).

    Feature requirements (really, really want these, too):

    1. Can generate randomized passwords for new accounts
    2. Can autofill login ID and password fields in a browser window without the need for copy/paste (and therefore avoids the security holes involved with Windows clipboard).

    Next-level features (all above could likely be accomplished with KeePass + hardware/keypad encrypted thumb, but the below would bring the overall security to the next level - if this is achievable and a product(s) exists...?)

    1. Multifactor authentication (like U2F) of the password manager software/vault itself: the encrypted USB drive itself serves as the hardware token that allows the software/vault to unlock (something along the lines of a Yubikey). That way if the password vault file itself is copied from the thumb drive (from across the network, say at work), and they grabbed my master vault password (for example a keylogger), the vault still could not be unlocked / unencrypted because they wouldn't have the physical hardware token serving as the 2nd authentication/decryption factor.
    2. And to really ensure a robust solution, the USB drive would adhere to the military spec for encrypted drives (FIPS 140-2 Level 3 compliance, incl. testing by an independent lab)

    My last arrangement was close: the Ironkey (before the company was purchased by Kingston). It was a FIPS compliant encrypted (USB2) drive with onboard proprietary password manager software. But the password manager has been dropped from the product line, leaving it (basically) just an expensive hardware encrypted thumb drive.



  • As you wrote, 1-5 can be achieved using KeePass + thumb drive.

    As for point 6, It seems YubiKey already thought of that. You can use YubiKey or other HW token with KeePass using the OtpKeyProv plugin. However, I could not find a detailed explanation of how it works and it does not seem to me as very secure. I have a feeling it could be bypassed rather easily by a more advanced attacker.

    There are plugins for KeePass that allow use of RSA keys, but I am not convinced they are usable with a HW token. Check (here, here and here)

    The RSA key approach if implemented correctly would be very secure and would protect against the theft of the password vault from unlocked thumb drive.

    For point 7, just pick a good USB drive, maybe the one recommended by Steven. But honestly, the thumb drive will never provide significant increase in security.

    Final note: KeePass can be used on android, but I don't believe the plugins can be. So using 2FA would be at the cost of using it on Android.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2