Home/ Questions/Q 8361323
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T11:40:16+00:00

I actually writing a Python module to access KeePass/KeePassX databases. My problem is that

  • 0

I actually writing a Python module to access KeePass/KeePassX databases. My problem is that the password to the database is saved plain text in my database object:

def __init__(self, filepath=None, masterkey=None, read_only=False,
             new = False):
    """ Initialize a new or an existing database.

    If a 'filepath' and a 'masterkey' is passed 'load' will try to open
    a database. If 'True' is passed to 'read_only' the database will open
    read-only. It's also possible to create a new one, just pass 'True' to
    new. This will be ignored if a filepath and a masterkey is given this
    will be ignored.

    """

    self.groups = []
    self.read_only = read_only
    self.filepath = filepath
    self.masterkey = masterkey # I mean this

I don’t know how to avoid this. The only idea I had is to store the password encrypted with a random generated key (like KeePassX does) but isn’t there the problem that Python doesn’t allow private members? I mean is it possible to access the random generated key from the outside of the running program? Or is the only possibility to dump the memory of the program from RAM? If the answer to the latter is `yes’, than it should be increase security or am I misguided?

Either way, isn’t there the problem that Python `throws’ strings to the whole RAM so that there’s always the possibility that the password is stored in plain text?

Many questions, I know, but it’s one of the most critical points of security in this project.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you have an OS with process memory protection (all modern OSes have this) then any code that is running in the same process will have access to the password. Other processes will not have access to data unless you grant specific access to a page of memory in an OS specific manner: this is one method RPG is done. The kernel has access to your memory and thus to the password, but if an attack vector comes through that path you have some serious problems.

    If you have an OS with virtual memory then the page that contains the password may be written to a file that the root user has access. So a processes that is running in root could read the password from there. But if you have a rogue process running as root you have more serious problems to worry about.

    Private members in objects is a language level protection that is only enforced at compilation or interpretation of the code. It has no effect on the RAM access of the data.

    So in summary the password is secure while it is in the running process. You only need to be concerned if the password were saved to a file under your control or written to a stream in some manner under your control.

    • 0