Oracle 7.3 - Oracle 23ai 20+ years of experience Version (Released: )

AES-256 password encryption in KeepTool 16.2

05 Sep 2024

Introduction

Hello and welcome to our new blog. Today we would like to introduce you to our new KeyStore that implements AES-256 password encryption. This new feature of KeepTool 16.2 increases security when saving passwords.

How the passwords were previously saved

If you are already a customer, you know that our tools remember the last database connections. You can choose whether you want to save the password together with the connection data. Otherwise, you must enter it again the next time you connect to the database.

KeepTool saves database connections in the file

  %APPDATA%\KeepTool16\Projects\KTProjects.XML

All passwords are stored in encrypted XML tags. The key is included in our applications and allows them to decrypt it later.

The cryptographic algorithm was introduced years ago. We are not aware of any security incidents related to this. Nevertheless, security standards are becoming increasingly stringent and we want to offer our customers as much security as possible. In KeepTool 16.2, all saved passwords are re-encrypted using an AES-256 method. This is one of the most secure encryption methods currently available.

See how it works!

Explore possibilities of KeepTool.

i,g

Getting started with AES-256 encryption

When you start Hora 16.2 for the first time, the application looks for an existing KTProjects.XML file:

  • In case of a new KeepTool installation, there are no saved connections (yet).
  • If you have not used the “Save password” option for any connection, there are also no saved passwords.
  • In all other cases, the XML file contains encrypted passwords.

If the XML file contains encrypted passwords, KeepTool 16.2 prompts you to create a KeyStore. To do this, you must define a master password that protects access to all other passwords. KeepTool decrypts all stored passwords and then re-encrypt them using the new method. The next time you log on to a database, you will need your personal master password again to unlock the KeyStore.
For your convenience KeepTool backs up the old XML file in the same folder as KTProjects.old.

For a new installation, KeepTool creates the KeyStore the first time you connect to the database, provided the “Save password” option has been activated. As an alternative, you can use a backup copy of the KTProjects.XML file from your old computer or any other machine. Make sure you know the master password. It is advisable to change it now. You can read how to do this later in the blog.

Creating the KeyStore

KeepTool first displays a message explaining how to get started with the new encryption method. If you have understood the message and do not want to see it again next time, simply select the checkbox before clicking the OK button.

Then you will be asked to enter a new master key and repeat the input for confirmation. It will be used to protect your saved passwords. There are currently no rules for the quality of the master password. However, we recommend at least 8 characters, including special characters.

Click OK to create your KeyStore. The application now decrypts all passwords using the previous encryption method and re-encrypts them using AES-256 encryption and the master key you provided.

Using the KeyStore

If a KeyStore already has been created, KeepTool shows this information dialog.

Select the checkbox before clicking the OK button to never display the message again.

Then KeepTool displays a dialog then prompts you for input of the master key.

In the bottom of the dialog is a checkbox. It allows you to save the master key on your computer. If you select this option, you will no longer be prompted to enter the master key. This is just as convenient as in previous versions of KeepTool, but offers less security. It is up to you whether you use this option.

After a successful master key check, the connection dialog is displayed.

In case that you enter the master key manually, a “Show password” button appears within the text field for entering the password. While you hold this button down, the text field displays the password as plain text. If you used the “Save master key” option, the “Show password” button is not shown.

Managing the KeyStore

Hora’s Extras | Settings dialog shows right on its first page a group box with three buttons for managing the KeyStore:

  • Change master key
    Prompts you to enter the current master key and a new key.
  • Forget saved master key
    Discards the saved master key. KeepTool will prompt you to enter the master key next time you connect to the database.
    The button is disabled, if you did not save your master key.
  • Forget all saved passwords.
    Deletes all passwords from the key store. You will have to enter the database passwords manually the next time you connect to the database.

Password forgotten?

As with all other keystores, there is no option to restore the master password. Please retain the master password in a safe place. Even if you have saved the master password on your computer, you will need it again to unlock the keystore on another machine.

But there is good news. Since KeepTool only encrypts the passwords, all other properties of the stored database connections are not encrypted and are still available without entering the master password. Simply cancel the entry of the master password and use any saved database connection. In this case, only the passwords need to be entered again.

Summary

AES-256 password encryption is a big step towards greater password security. The keystore is protected by your personal master key and cannot be decrypted by any other user. It is recommended to use a strong master password and enter it every time you start KeepTool.