Where do you recommend to store .kbdx file backup?
Should I encrypt it with FDE or use Cryptomator?
1 Like
By FDE do you mean for external storage? If you’re 1000% sure you can remember the password, it wouldn’t hurt. If you’re not then don’t bother risking your backup, KeePass encryption should be good enough.
I mean encrypted by LUKS or Veracrypt external SSD or Flash.
(I am on Linux, so prefer native LUKS)
Maybe then different drives + different passwords for FDE?
I am worried someone will get my seeds (crypto) that stored in KeePass
A safer solution could be to increase the decryption time of your database and of course you should be using a long randomly generated master password. That way you only need to remember 1 password rather than 2, decreasing the chance you’ll forget one and lose access to your backup.
I just trust the keepass encryption, but additional layers couldn’t hurt if you’re trying to protect handsome sums of crypto. Consider an airgapped machine (wireless hardware removed), with FDE, and veracrypt/picocrypt container.
However, the weak link would still just be keypass’s own encryption or endpoint compromise while the database is in use on your device, so all of the above is quite extreme if you’re going to use KeePass on a connected device regardless.
My setup is:
- Proton Drive
- Synology NAS (Drive Encrypted)
- Windows PC (on a second FDE drive)
- Pixel w/ GOS
I have my .kbdx file and keyfile stored on my laptop, phone, Proton Drive, and multiple hard drives.
The laptop and phone sync with Syncthing so I always have more than one copy.
Perhaps once a month I back up to the external media. I would do this more often if I created accounts more frequently.
I just encrypt my KeePass and store it locally and on my cloud drive, and use Syncthing to sync to my NAS. If I need another layer of encryption, I use VeraCrypt, but as @TheDoc said, KeePass encryption should be good enough.