Encrypted Password Database Help Page


Creating a new database

To create a new database click on the New icon on the toolbar or select New Database from the File menu:



This will open the Create New Database dialog



In the Create New Database dialog you must type a name for the new database in the text input titled Name for New Database. This can by any name you choose provide the name does not exist.

Once you have input a new for the new database you must choose one of 4 encryption methods:

Create Using Password

This will create a new database using a password. When you open the database you will need to use the password set here. When using a password you will need to input the password 2 times. Once in the Password input and again in the Confirm Password input. Press Enter or click on the OK button to create the new database.

Use Symmetric Encryption Key

A symmetric encryption key file is used to both encrypt and decrypt the database. When using a key file you have to be careful that no other user will have access to the key file. As best practice key files are kept in encrypted volumes or stored on a separate device. To create a key file:

> mkdir ~/.keyes
> chmod 700 ~/.keys
> cd ~/.keys
> dd if=urandom of=master.key bs=128 count=1
> chmod 400 master.key
To use the key file click on the Browse button under the File Name input in the Use Symmetric Encryption Key section . Navigate to your keys directory and select the master.key file. Click on the OK button to create the new database.

Use Public RSA Key

RSA keys allow you to use asymmetric encryption where your public key is used to encrypt the database and your private key is used to decrypt the database. When using RSA keys it is very important that you always passphrase protect your private key and be careful that no other user will have access to your private key key file.

When using an RSA key you must provide a user name for the key. When creating a new database this should default to the username you are logged in as.

To create a public and private key pair:

> mkdir ${HOME}/.keys
> chmod 700 ${HOME}/.keys
> openssl genrsa -aes256 -out ${HOME}/.keys/private.pem 2048
> chmod 400 ${HOME}/.keys/private.pem
> openssl rsa -in ${HOME}/.keys/private.pem -outform PEM -pubout -out {HOME}/.keys/public.pem
To use your RSA public to create a new base key click on the Browse button in the Use Public RSA Key input section and navigate to the location of your public keys and select your public key file. Click on the OK button to create the new database.

If you want to use your SSH-RSA key pair to encrypt the database you must make a copy of your public SSH-RSA key in a PEM format:

> ssh-keygen -f ~/.ssh/id_rsa.pub -m 'PKCS8' -e > ~/.ssh/id_rsa_pub.pem
Your private SSH-RSA key should already be in PEM format and passphrase protected. If you private SSH-RSA key is not passphrase protected run the following command to add a passphrase:

> ssh-keygen -p -f ${HOME}/.ssh/id_rsa -e -m PEM

Smart Card

When using a smart card you provide a username and ID for the smart card cert you are using. When creating a new database this should default to the username you are logged in as.

To get your smart card cert ID use the pkcs11-tool to find the ID labeled PIV authentication:

> pkcs11-tool --list-objects

Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      PIV AUTH pubkey
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     none
For DOD CAC the PIV authentication object will typically be 01

By default the Encrypted Password Data program will use OpenSC PKCS 11 as the provider and use the openssl-pkcs11 engine. On your workstation please ensure the opensc and openssl-pkcs11 packages are installed. If you need to change any of the smart card default setting edit the following section in the Encrypted Password Database configuration file:

> vi ${HOME}/.encrypted_password_database/encrypted_password_database.cfg

# Smart card settings
SC_enginePath = /usr/lib64/engines-1.1/pkcs11.so
SC_modulePath = /usr/lib64/opensc-pkcs11.so
SC_engine_ID = pkcs11
SC_cert_id = 01
For NoMachine remote desktop session with you smart card forwarded as a smart card device use the following provider:

SC_modulePath = /usr/NX/lib/libpkcs11.so
Any changes to the encrypted_password_database.cfg will require you to restart the program.

Once you have verified your smart card settings input your smart card user name and cert ID. Click on the Use Smart Card check box in the Smart Card section. Click on the OK button to create the database.

Working with new database files

After you create the new encrypted database you will be presented with a blank grid. To enter data you can type directly in the grid cells starting with the first column named Title. You can also add entries by clicking on the Add button on the toolbar.



This is a persistent object oriented database. All additions, changes, or deletions are a direct write to the database. So there are no changes to save as there are no in-memory copies of the database. When you enter an item on the grid or from a panel the data is encrypted and written directly to the database.

Return to Help Pages Contents