Working and Security

The smooth browsing you do with Enpass is the result of mutual working of Enpass App, Enpass plugin (extension) and Enpass Assistant. Every single component has its unique functionality.

Components of Enpass

  • Enpass App- This is the main application that you execute yourself from the launcher runs as a unique process in OS. Among all the components, only it can access the data from the encrypted Enpass database. Enpass App needs to be running to use Browser Extension.
  • Enpass Extension- Enpass Extension is the program that integrates into web browsers. It is responsible for filling the login and credit card details.
  • Enpass Assistant- It is the component that does all UI (user interface) work in the browser like presenting the list of items, taking user inputs and various other prompts. The Enpass Assistant always runs as a single process with main Enpass App and closes automatically with that.

Communication

Enpass App communicates with Extension over a local web socket. We have tried to ensure maximum security so that no one can eavesdrop your sensitive data.

  • Extension Validity Check- When a browser extension tries to connect to Enpass App, we verify the origin of the connection, it must be the unique identifier of our browser extension and browser will not allow any two extensions with the same ID.
  • Browser Validity Check- When a browser extension tries to connect to the Enpass app, we also verify its authenticity by checking its code signature, i.e. browser must be code signed with relevant company’s certificate (e.g., Chrome is signed by Google ).

Note

Browser Validity Check is not available on Linux as code signing is not available there.

  • Pairing- Browser extension need to initiate a SRP handshake with a pairing code displayed. User have to manually enter that pairing code into Enpass. If the pairing code matches, both Enpass app and browser extension will be having a common secret at the end of handshake. Further communication will be encrypted with that common secret. Browser extension will also store a provided pairing key for further sessions. It is stored in extension sandbox. User can opt not to store next session pairing key, in that case browser need to pair for every browser session.

Advice for users

For maximum security, we advise users to

  • Download browsers from the legitimate sources only.
  • Carefully install the third party extensions.