Security in Enpass 4.5, SQLCipher and more

In Enpass 4.5 not only we have introduced fresh user interface but also we have enchanted security by many folds. In fact the new security engine was itself one of the reasons to rewrite the whole application from scratch and thats why it took months for us. 

A Bit of History

Before version 4.5 your data in Enpass was stored in a SQLite file. All your data was encrypted (by AES-256 bit encryption with 2048 PBKDF2 iterations) except some metadata like item name, update timestamps, item UUIDs. They were left unencrypted for snappy UI and sync performance. Little could be gained by encrypting metadata item in term of security. However in version 4.5 we encrypted 100% of data (including metadata).

Move to SQLCipher

We decided to use SQLCipher encryption engine which allowed us to encrypt 100% of the data file. It uses the same AES-256 encryption algorithm that was used in previous versions of Enpass. 

Open Source Goodness

Moreover, SQLCipher is an peer-reviewed, open source library which makes it transparent and left no stone unturned when it comes to trust. It has been reviewed by many security experts and used by world’s leading organizations for cryptographic operations to encrypt SQLite. It itself uses world leading encryption algorithm AES-256, which is also open source and remains uncracked.

Increased Number of PBKDF2 Rounds

We have tried our best to protect your data even if your data file gets into hands of crackers. For this purpose, we use PBKDF2 iterations to waste an attackers time during a brute force attack. In the new Enpass 4.5, we have increased number of PBKDF2 rounds from 2048 to 24000. Thus an attacker needs to work 12 times harder to break into your data using brute-force. Make sure you use a strong master password rather than simple dictionary words, birthdates and phone numbers.