Duress PIN – What is it and why would I need it?

So what is this Duress PIN thing and how does it work? The name gives it away, let’s look at a dictionary definition of duress:

Note: The Duress PIN Feature is part of the iOS Pro feature set

The idea of a Duress PIN is simply that, if for whatever reason, you are in a bad situation where someone is forcing you to unlock your database, you can enter a different PIN than the correct one, and Strongbox will perform some kind of plausible action but not reveal your passwords/secrets.

You could be a human rights worker entering an authoritarian country with a no real commitment to personal freedoms or perhaps you’re simply someone who likes their privacy and wants to keep their secrets private. Sounds like a simple wish, but once you arrive at the customs port of your destination country, all bets may be off, the enforcers will want what they want or you’re not getting in. Maybe you work in a dangerous part of the world, and you fear some criminal elements may force you to reveal your banking details or similar. Whatever it might be, anyone could find themselves under duress.

So how do I setup my Duress PIN? The first thing you need to do is setup a regular non-duress PIN, what we call a convenience PIN. This allows you to open your Password Database with a short set of digits (like your ATM PIN). To do this, simply:

  1. Unlock your database
  2. Tap the “More” or “Ellipsis” (…) button in the top right corner
  3. Tap Database Settings
  4. Tap Configure PIN Codes
  5. Tap ‘Turn Convenience PIN On
  6. Now enter a PIN Code, you’ll now be able to Unlock your database with this PIN Code.

Next we will want to setup a separate PIN, our Duress PIN. To do so, let’s go back to that PIN Configuration screen:

  1. Down in the Duress PIN section, tap ‘Turn Duress PIN On
  2. Enter a PIN, different this time than your regular convenience PIN.

Once done, you’ll notice that the ‘When Duress PIN Entered‘ section is now enabled and you can choose from the three available options. Let’s have a look at these options in turn and see what they do:

  1. Open a Dummy Database
    • This might be the most ‘stealthy’ option of all. Strongbox will open a database so it looks just like your Duress PIN worked. You can actually edit this database to make it look as realistic as possible. Think of it perhaps like a decoy wallet. You want something that looks plausible (e.g. old expired credit cards, maybe even a few dollars!). So you probably want to spend some time setting this up, just don’t enter your real secrets/passwords.
  2. Present a Technical Error
    • A fairly straightforward response, a reasonable looking error message will popup. Simple yet effective.
  3. Remove Database from Strongbox
    • This is sort of the nuclear option. The database will be removed from Strongbox completely. If your database is stored on a remote provider somewhere it won’t be touched, so don’t worry. It will just not be visible or accessible from Strongbox without re-adding it. However if someone is watching you while you do this it might be obvious you’ve done something to thwart them.

Those are your options, and you’ll need to choose which one suits your particular scenario best. We can’t offer advice on this, only you can decide. Indeed, you will need to decide if you want to use this feature at all. Take a look at our short note of caution below before deciding if using a Duress PIN is something you really want to do. Another option you may consider is to simply remove the database from Strongbox completely during transit in and out of problematic territory. You can re-add your database once you’re safely through that tough jurisdiction, or sticky situation.

A Final Note of Caution

It may actually be illegal or counter productive to enter a duress PIN in some situations, because if you get caught somehow doing this, the relevant forces/legal authorities may consider this as a deceptive act and may take punitive measures against you. This is something you’ll need to consider as part of your particular situation and threat model. It is worth examining how your target jurisdiction will react if you somehow were discovered to be using a Duress PIN in a situation like this. Strongbox only provides this powerful option, the choice then, is entirely yours.

WebDAV and SFTP now available on MacOS

Strongbox now supports WebDAV and SFTP on MacOS. These new storage providers have been much requested because they provide the ability to host your own KeePass database on your own storage, in a way that allows for synchronisation across devices and availability from anywhere on the Internet (if you like).

Note: The WebDAV & SFTP are part of the MacOS Pro feature set

WebDAV and SFTP are public open protocols supported by a wealth of different devices. Indeed SFTP is probably the standard way of transferring files on Linux based systems. Because it is built on top of SSH it is also the most secure way to do this also. WebDAV is an open extension of HTTP, adding new methods like PROPGET and PROPFIND and can sit seamlessly on top of a regular HTTP(S) session. In particular WebDAV is supported by Nextcloud and Owncloud, 2 popular up and coming privacy conscious storage solutions, which allow users to operate or subscribe to their own personal storage solution. Often Nextcloud runs on top of a NAS. Alternatively, many NAS’s support WebDAV and SFTP natively, for example Synology and QNAP provide their own implementations.

If you’re not keen on storing your database on your cloud provider, perhaps a free Dropbox or Google Drive account, but you want the convenience of a centralised location to store your password database, then WebDAV or SFTP could be for you. Strongbox tries to make this straightforward and has supported these protocols on iOS for quite a while. Now these protocols are available on MacOS.

To add a WebDAV or SFTP hosted database to Strongbox, simply:

  1. Launch Strongbox and bring up the Databases Manager window (Command + D).
  2. Tap the ‘Add Database…‘ button in the bottom right hand corner and select WebDAV or SFTP as preferred
  3. You’ll now be prompted to enter the location of your server, and authentication information. Tap Connect when done.
  4. Once successfully authenticated against your server you can start to browse your files and folders.
  5. Locate your database, and tap Select.
  6. You should now have added this database and you’ll be presented with the Unlock screen.
Strongbox SFTP Setup – Browsing for a database on MacOS

Strongbox will sync your changes back and forth (merging automatically where necessary). Strongbox also checks if your database has been changed by another process periodically and updates it if so, so you’re always working with the latest version.

We hope you’ll like this feature and that it’ll all be smooth sailing, of course we’d love to hear what you think and if we can improve in any way!