I don't use KP, but I have a pdf for my floor safe in my password manager. I only open it a few times per year and I need more than just the combination, I need instructions on whether the first number is cw or ccw. While I could no doubt look it up on the internet every time, I was fearful that the user's manual might some day disappear from the internet. Some things that aren't obviously passwords still belong in a password manager.
In my mental model, the PDF is not a secret and can be stored anywhere -- encrypted, if desired, but it sounds like a public document.
The safe combination is a secret, and obviously belongs in secret storage.
In this specific example, if I had trouble remembering whether the first number of the combination was reached via cw or ccw rotations, I'd include that in the secret, e.g. "cw34-12-22-45".
(Some safe combinations require multiple rotations. I unintentionally became the owner of one that is something like "cw3x34-ccw2x12-cw5x22-ccw2x45". I still can't open it actually, but that pattern is what the Internet tells me. :)
>In my mental model, the PDF is not a secret and can be stored anywhere -- encrypted, if desired, but it sounds like a public document.
Sure, but I will need it at the same time and for the same reason as the combination which does belong in the password manager. To store it separately would be more difficult.
In any event, it's not large. I seem to remember it is only in the low hundreds of kilobytes. But there is occasion for such things.
>I unintentionally became the owner of one that is something like "cw3x34-ccw2x12-cw5x22-ccw2x45"
Mine is similar. I even have the cw/ccw in with the numbers, but that alone never seems to get it for me... sometimes I do need to look at the pdf. I simply don't get enough practice to do it from memory.
With cases like these, is it possible for you to simply copy the important text data into a note, or do you absolutely need the full pdf? Most attachments can be reduced down to their barest text form to avoid bloating the db.
I could likely copy the entire paragraph that explains where to zero the dial to, which direction to start (and how many turns). It would be, I don't know, 120 words or so? But I don't think that it taxes the password manager to just add the pdf to the attachment. I haven't yet ran into a scenario where I desperately need to pare my encrypted vault down in size. Perhaps I don't understand the technology all that well though, and I'm setting myself up for grief later.
It’s more of a purist attitude on my end for sure. I cannot stand the idea of storing a PDF and all its bloat for a single paragraph of information that could easily fit into an entry note. Vendor PDFs are also sometimes ridiculously unoptimized too. Even for a modest 500kb PDF, that’s still like a couple hundred plaintext entries that could have taken its spot.
Were that me (I used KP), it would be in a different kdbx file. This is one of the benefits of KP, I have about 8 different vaults for various things. I don't like putting my eggs in one basket.
You lose the convenience of one file though. In this case you might as well use a purpose built encryption tool rather than force KeePass into this usecase. A VeraCrypt container or encrypted overlay filesystem are a significant performance and UX upgrade since you are already willing to concede managing one file.
It's also possible to create dedicate entries for each of the other KeePass vaults and set the URL field and password to the respective paths (i.e., "kdbx://PATH/TO/OTHER/DATABASE.kdbx") and passwords, then you can simply double click on the URL field to automatically open and unlock the other vaults.
The URL field in KeePass has lots of convenient features [0], but unfortunately they're quite "obscure" and not very discoverable.
That's true regarding the one file convenience but from another angle it's a separation of concerns, especially considering it's a pdf accessed very occasionally.
I maybe half agree with you about the encrypted overlay filesystem but only in respect to files, not passwords though. I tend not to keep files in KP, if I need a singular encrypted file I'd probably 7zip it (7z format) with a password and encrypt the filenames. The password goes in KP as does the location.
Yes we agree. Keep the passwords in the password manager and keep the files in the EOFS. If you need true seperation between those files, just make different containers or FS for them.
