How are the passwords stored when vault is unlocked

[Soumyadip Haldar]

Hi all,

I don't have good encryption knowledge so my question may seem very layman, but I want to understand how KPM works.

I understand that KPM stores the passwords in an encrypted form. But What happens when I unlock the vault. Does it store the passwords in storage devices in unencrypted form or does it just keep it in memory? If it's stored in hard drive, then it is pretty vulnerable. And if it's stored in ram the hackers can get a memory dump and suddenly they will have all of my passwords.

Also, what happens to the master key? Where is it stored? If it is stored in hard drive, then can't anybody just take the key and the encrypted vault and will be able to decrypt it?

[Berny]

@Soumyadip Haldar

1) Please see → How Kaspersky Password Manager protects your data
Only someone who knows the main password can open the encrypted vault.

2) Please see → About the master password

Quote

"To keep your data safe, Kaspersky Password Manager does not store the master password on your devices and does not transmit it to the online vault. Memorize or write down your master password, because it is impossible to recover a forgotten master password."

 

[Soumyadip Haldar]

Thanks @Berny for responding. Unfortunately, your reply didn't answer my question.

1. I know KPM encrypts the vault. But my question was what happens when the vault is unlocked with master password? Does it store the passwords on the memory (RAM)? Or does it store the passwords on hard drive. If it's on hard drive and unencrypted (when vault is unlocked by the user) then it is dangerous. And when it is stored in memory then a memory dump can reveal the information.

2. I understand the master password is not stored anywhere. But the key has to be stored. Right? Where is this key stored? If an attacker hijacks the key and the vault (encrypted) he/she can decrypt the vault. Right? So my question is what security measures Kaspersky takes to prevent this? Especially how is the key stored?

Thank you again.

[itsentdev]

I'm mostly guessing here, but as an encryption principle, I would assume that KPM is not 'storing' your key at all. The whole point of encryption is that you don't store the decryption key anywhere. When you enter a key, it attempts to use that as a decryption input, and if it fails (gives garbage output) then the key must be invalid. I may be wrong, feel free to tell me.