Quick Unlock - Rookiestyle/LockAssist GitHub Wiki
Quick Unlock offers two different working modes.
Both modes allow you to enter a QuickUnlock key instead of the original key to unlock an already loaded database.
You can not use this Quick Unlock key to initially open a database.
Working modes:
- Database password
- Quick Unlock entry
Prerequisites
- Database masterkey contains a password
- Option 'Remember master password' is active
You are free to use any combination of keyfile, KeyProvider plugin and Windows User Account in addition. None of them are mandatory.
You can define the length of the Quick Unlock key, e. g. 4 characters and whether it will be the first of the last 4 characters of your database password.
If you don't want to use 'database password' mode you can decide to use 'Quick Unlock entry' instead. In this case your database has to contain an entry with title 'LockAssist - Quick Unlock' and this entry must not be expired. The Quick Unlock entry does not need to be in the rootgroup but can be located in any group. Only requirement is that searching for this group is active which is the case by default. LockAssist assists you in creating this entry.
You can define the length of the Quick Unlock key, e. g. 4 characters and whether it will be the first of the last 4 characters of the Quick Unlock entry's password.
Quick Unlock can be configured per database.
You can e. g. decide to always use the last 4 characters of the database' master password as Quick Unlock key and deactivate Quick Unlock for a specific database.
You can as well decide to not use Quick Unlock in general and activate it for a specific database only.
It's completely up to you.
Whenever a previously opened database is locked, its masterkey is remembered in an encrypted and secure way.
When unlocking the database, you have exactly one attempt to unlock the database using the Quick Unlock key.
If this is successfull, the database will be unlocked and ready for usage. If this fails, all data remembered by LockAssist ist cleared, the database stays locked and the complete masterkey is required to unlock the database.
LockAssist does not change the way KeePass encrypts your database.
Instead, LockAssist remembers the hash of the masterkey that KeePass calculates based on the masterkey data you provide (password, keyfile, windows user account, ...).
This hash itself is encrypted using the Quick Unlock key that you can define.
The encryption used for that is exactly the same encryption that is used by KeePass for encrypting the database.
The Quick Unlock key itself is not remembered at all.
If you trust KeePass encrypting your database, you can trust LockAssist encrypting the masterkey's hash.
When you provide the Quick Unlock key, Lock Assists uses whatever data you provide and decrypts the encrypted masterkey's hash.
In a second step, this hash is provided to KeePass to actually unlock the database.
If you provide the correct Quick Unlock key, this decryption will return the correct hash and consequently KeePass can unlock the database.
If you did not provide the correct Quick Unlock key, this decryption will return an invalid hash and KeePass won't be able to unlock the database.
Either way, the encrypted masterkey's hash will be cleared.
This compensates the fact that the master password you use will be much longer than the Quick Unlock key.
It might be easier to crack a 4 character Quick Unlock key than a e. g. 30 character master password but if you don't succeed th very first time... there is no 2nd try.