Autolock the vault when macOS session is locked

[rghedin]

What can be improved?
I noticed that even fiddling with Control Access options, there's no option (AFAIK) to lock the vault when I suspend the session (close the lid, block it manually with Command + Control + Q, or macOS shows screensaver or enters sleeping mode). Some other apps, like KeePassXC and MacPass, have this option, and I find it valuable so if someone bypass my macOS password/login, they still won't be able to access my passwords. (When I'm using the computer, I usually leave Keepassium opened/vault unlocked for convenience.)

The solution you'd like
An extra option to lock the vault whenever the session is locked.

[keepassium]

Thanks! I will look into this.

[vit9696]

@keepassium, honestly, this can be considered a security issue for the following reasons:

• When macOS is in sleep mode or hibernated Keepassium will stay unlocked and thus exceed the specified timeout of automatic lock. It is thus theoretically possible for the attacker to e.g. close the lid, steal the computer, and then with specialised software to reach Keepassium before it locks itself.
• On older x86 laptops hibernation is used to reduce battery drain, and thus the OS stores RAM contents on the system drive. The image is encrypted, but depending on the machine firmware and generation (Apple eventually fixed it on newer x86 machines after my report) the key can be stored in SMC or even RTC device, and can be extracted with not too strong effort given physical access.

Could you consider prioritising this please?

[keepassium]

@vit9696 , I agree, this can be considered a security issue. It's just I did not focus on the Mac version too much so far.

This looked simple enough so I went ahead and implemented the database and app lock. However, this must be optional (many people close/open the lid every few minutes in a safe/trusted environment.) And that option is for Mac only. So I'll need to rewrite the settings UI to make it dynamic and hide irrelevant options in mobile version. And that will take some time…

[keepassium]

On a second thought, this does not have to be a separate option. Screen locking/unlocking on a Mac can be wired just as app activation/deactivation on iOS. This way, it would simply work with the existing timeouts, no need for additional UI.

For instance, setting the App Lock timeout to "immediately" would lock the app when you close the lid. If the timeout is set to something longer, the app would check the time on screen unlock, and act accordingly (just like it does on iOS). Same for database timeouts.

@rghedin, @vit9696, would this work for you?

[vit9696]

Hmmm, personally I would prefer on iOS it to work the same way it does on macOS, but I am unsure it is possible.

I.e. when I press the power button on my phone or my tablet, I would like the thing lock. Yet, when I simply switch to another app I would rather it not lock, because I can be copying some valuable information from one field and may want to return for another field.

If this is not possible, locking the app immediately when switching to another app can be a temporary solution till a better API is available on iOS side.

[rghedin]

I guess it does, @keepassium! This is exactly how I use KeePassium on iOS, with “immediately” selected.

[keepassium]

Thanks! So I have routed screen locking/unlocking as app activation/deactivation events. This will be in the next update, and we'll iterate and refine from there, if needed.

[vit9696]

@keepassium, I think it does not quite work the way it was changed in the latest update and is now totally broken.

1. Hiding the app via Dock locks the database when "immediate" is selected. This is unexpected to me, as I only expect screen locking/sleep to do that.
2. There is no way to lock the application after a timeout anymore. I.e. for a scenario when I am using the computer but not using the password manager. I personally prefer to have master key erased after a certain amount of time in case the device is compromised.
3. For whatever reason last password entry after locking the screen remains visible after unlocking the screen and its password is in fact copyable despite the database itself being locked. This is in fact a bad security bug.

In my opinion, besides fixing (3), on macOS screen lock should lock the database at any database locking timeout. I.e. regardless of the setting.