DESIGN: Archive access keys - glenw921/TripleCrypt GitHub Wiki

Keys to TripleCrypt Vaults (.3cV files)

  1. Browser Stored Key (BSK) for TripleCrypt (Located in Chromium's IndexedDB and includes TBK. Unique to each TC install? Unique to each 3cV file?)
  2. PIN (No size requirements. Hint is stored in .3cD file.)
  3. Passwords (1-10. No size requirements. Hint stored in .3cD file. Configurable minimum number required under different access conditions.)
  4. TripleCrypt Blender Key (TBK) (Generated by TC Blender when file is encrypted the first time?)
  5. PIN/Password Extensions (PPEs) (During encryption each PIN/Password is assigned its own random additional characters to make guessing slow and costly. These are grouped for storage into one "." delimited string.)
  6. The matching TripleCrypt Dictionary (.3cD file or "3cD")
    • Requires at least one password, PIN, or the BSK to decrypt this file.
    • Provides PIN and Password hints.
    • Provides PPE storage string. (see 5.)
    • Provides cipher key for TC Blender (TBK).
    • Provides sequence of encryption and cipher algorithm applications.
    • Provides ID of BSK in IndexedDB.
    • (Provides other encryption keys?)

Optimal Key Combination

BSK + 3cD + PIN [NOTES: This is fast an low effort. The user has primary device (PSK), TC Dictionary (TBK & PPEs), and PIN for basic identification.]

Minimum Sufficient Key Combinations (configurable)

(A) BSK + {PIN or 1 Password} [NOTES: Fast with .3cD or PPEs, else very slow. BSK also contains TBK.] (B) 3cD + {PIN or 1 Password} [NOTES: 3cD is automatically decrypted if BSK is available, thus providing PIN and Password hints.] (C) TBK + PIN + {config specified number of passwords} [NOTES: This is very slow due to lack of PPEs.]

  1. PRIMARY DEVICE:
  • SET UP: Has BSK and 3cD for unimpeded decryption of TC Vaults.
  • Access: Easy authentication (PIN), fastest decryption.
  • Security: Device access security substituted for TC authentication.
  • Description: A good Primary Device for TripleCrypt (TC) usage provides secure storage for TC files and is itself stored in a secure location. The user has their 3cV and 3cD files on this device, providing access to PIN and Password hints as well as records of the random PIN/Password extensions TC adds when creating encryption keys. Opening a TC Vault here is fast and easy.

  1. ALTERNATE DEVICE

    • SET UP: Needs either 3cD or TBK. (Potentially could allow user to create BSK.)
    • Access: Additional delays and password requirements
    • Security: Authentication may be aided by 3cD content, otherwise additional authentications and delays are imposed.
    • Description: A good Alternate Device should be free of malware and offline. User may chose to make 3cD accessible via portable storage.

  2. BLACKHOLE BACKUP

    • SET UP: Nothing but the TripleCrypt Vault (.3cV file).
    • Access: None in this lifetime.
    • Security: Extreme.
    • Description: File has multiple layers of encryption and obfuscation. The time and electricity needed to reveal its hidden contents make doing so a losing enterprise.