Encrypt whole vault as 1 blob

cancel
Showing results for 
Search instead for 
Did you mean: 

Encrypt whole vault as 1 blob

Encrypt whole vault as 1 blob

Due to the issues and news from Augustus/December 2022, we all know that our entries which are shown in a LastPass-app are saved as records in a storage. Some fields are encrypted, but not all. URL's and meta-data isn't encrypted. Due to this design, the data is valuable without spending time to decrypt.

 

In my opinion a whole vault of an user should be stored as 1 encrypted blob in the cloud. When blob(s) are stolen, it's worthless completely, till it's cracked.

10 Comments
dunkirkcastle
New Member

Agreed.  Although I understand you do need the password iteration count to not be encrypted.

 

tgoetsch
New Member

This should be a requirement, not a feature, I’m leaving the platform after being a paying user on it for most of its existence because not all the data is encrypted and we are now at risk of targeted phishing attacks. I will consider returning only if this feature is implemented and a third party audit has been performed proving security measures have been implemented to better protect user data.

Mark35
New Member

I would also encourage the encryption of the whole blob.  I've put some sensitive information into the comment fields thinking that all this would be encrypted.  I guess that is on me.  If you want my continued subscription, I need you to encrypt all of it.

 

And I don't know if you do this or not, but you might just encrypt our encrypted blob with your own encryption.  That way anyone getting our vault would have to crack your encryption AND then our encryption. 

 

Thanks for listening.

JayMeIn
Active Contributor

The notes (or comments as you call them) on a password record are encrypted.

scuba-belmont
New Member

I am surprised and disappointed that user's metadata is not encrypted. This is a basic requirement. I think, at minimum, that some meta data can remain not encrypted such as house keeping data that does not contain user data (e.g., URL, account settings) or personally identifiable information (e.g, usernames that are emails, etc...).

Mike_Ka
Visitor

Absolutely i agree with all posters so far, ALL information should be encrypted.  i went so far as to buy Keeper after the last database compromise.  it is not as good at auto-filling as LP is so I'm still here from now.  but it will take only one whiff of any more breeches and i'm outta here. 

 

Really, if you're encrypting passwords how hard can it be to encrypt URLs.  

 

and now that I've read Mark35 comments that suggest our Notes field is unencrypted I'm really concerned.  credit card expiry dates and back of card codes.  holy schit!

JayMeIn
Active Contributor

@Mike_Ka as I understand it, Mark35‘s information on comments/notes is incorrect. Everything I have read says that the notes on a record are encrypted.

 

I agree that all fields need to be encrypted.

Mike_Ka
Visitor

JayMein, are you sure about the notes being encrypted?  "as i understand it" is a bit too loose.  i nearly had a heart attack when i read Mark35's comment.  how could LP possibly encrypt notes and then make a conscious decision to Not encrypt URLs?

 

Is there a definitive statement somewhere of what is and is not encrpted?

Mike_Ka
Visitor

Further to my earlier comments i just read the data breech report.  it said that Secure Notes are encrypted but i use the Notes field of related passwords to store information.  they are not the same as Secure Notes.  it is frustrating that there is no one place where LP definitively states what is and is not encrypted.

 

I'm not feeling very good since signing on to the blog today but have no more time to invest in this.  my Keeper licences is waiting!

Mike_Ka
Visitor

here is the URL of the LP disclosure of what was and was not encrypted.  i have an opinion but see what you guys think of it in terms of security of Notes data.  they sure don't make it easy to find this page!

 

https://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/incid...