Asking for a friend. Not your NSA agent. Which is what your NSA agent would say…
By keyfiles I mean the extra files encryption software generates to strengthen passwords.
Hard copy. Printed. And in a safe and secure place in a water and fire resistant bag if possible.
I understand that method is perfect for passwords. But keyfiles are digital for a reason, otherwise I’d just write down my password.
I just store them on a dedicated thumb drive and conect it only when needed, for my keepass vault it functions kinda like a poor man’s Yubikey.
1 Like
The purpose of a keyfile is to make sure the device is trusted, that’s all.
I memorized 2 passwords. SHORT and LONG…
SHORT password is for password managers, frequent use.
LONG password is for disk encryption, infrequent use.
Keyfile is stored unencrypted on disk, but when it’s backed up online, it requires LONG password.
My SHORT password is over 20 characters long btw.
1 Like
Pretty sure the purpose of the keyfile is to make an even longer unguessable password.
You could remember a short password, but with a key file that only you know the location of it becomes a max length password instantly.
Files can be encrypted and attached to entries in KeePass.
2 Likes
Many tools strengthen passwords with extra files or key blobs (like VeraCrypt’s keyfiles or KeePass’s KDF-enhanced databases).
But there’s also a different approach: instead of storing files to boost strength, you can derive strong keys deterministically using modern KDFs like Argon2id — based on consistent inputs (like a passphrase + service name).
In that case, you don’t need any files at all — no vaults, no blobs, no sync. The strength comes from computational hardness, not hidden files.
It’s a very different model, but for privacy-focused users who want to avoid storing any secrets or files, it’s a pretty elegant path.
Curious if anyone else here has tried stateless password generation — feels like a natural extension of the “less to store = less to leak” mindset.
1 Like
I don’t use them usually. If I really need them on a YubiKey, with the backup paper copy stored in my safe. I have 2 passwords I memorize, one for password managers and one for disk encryption. Both are ~60 characters long.
That’s a solid setup — sounds like you’ve really optimized for both security and backup resilience. Memorizing strong passphrases and keeping a paper fallback is definitely a time-tested model.
On a related note, I’ve been exploring tools that skip keyfiles altogether by using deterministic generation: you enter a passphrase + label, and it generates the same password or encryption key every time — with no vaults, no storage, no sync.
It shifts the problem from “how do I store my secrets securely?” to “how can I derive them securely without storing anything?”
It’s not a replacement for all use cases (like FDE), but for password management and shared credentials, the stateless model can really reduce attack surface.