KeePass

KeePass is an encrypted password database format. It is an alternative to online password managers and is supported on all major platforms.

There are two versions of the format: KeePass 1.x (Classic) and KeePass 2.x

Installation

There are three major implementations of KeePass available in the official repositories:

https://keepass.info || keepass
  • KeePassXC Fork of KeePassX that is actively maintained and has additional features like browser integration, ssh agent support, yubikey support, a TOTP generator and KeeShare included. Also provides a CLI.
https://keepassxc.org || keepassxc
https://gitlab.gnome.org/World/secrets/ || gnome-passwordsafe

Other lesser-known alternatives can be found in the AUR:

  • KeePassX Started as a Linux port of KeePass. keepassx2AUR uses the KeePass 2.x format, but can import 1.x databases. It also lets you import PwManager and KWallet XML databases. It does not support plugins. No active development since 2016.
https://www.keepassx.org/ || keepassxAUR keepassx2AUR
  • keepassc A curses-based password manager compatible to KeePass v.1.x and KeePassX. It uses xsel for clipboard functions.
https://raymontag.github.io/keepassc/ || keepasscAUR
  • kpcli A command line interface for KeePass database files *.kdb or *.kdbx.
https://sourceforge.net/projects/kpcli/ || kpcliAUR
  • keepmenu Dmenu/Rofi frontend for Keepass database files.
https://github.com/firecat53/keepmenu || keepmenuAUR
  • keeweb A web app (online / Electron) compatible with KeePass 2.x. KeeWeb is the only version with default Sync support for major cloud services, Gdrive, Onedrive, Dropbox etc.
https://keeweb.info || keewebAUR nextcloud-app-keewebAUR

Integration

Many plugins and extensions are available for integrating KeePass to other software. KeePassX and KeePassXC do not have a plugin interface, but KeePassXC has various integrations built-in.

Plugin installation in KeePass

Note: KeePassX and KeePassXC do not support plugins. KeepassXC has some integrations built-in.

KeePass is by default installed at /usr/share/keepass/. Copy plugin.plgx to a plugins sub-directory under the KeePass installation directory as demonstrated below:

keepassxc-browser for KeePassXC

keepassxc-browser is the browser extension of KeePassXC’s built-in browser integration using native-messaging and transport encryption using libsodium. It was developed to replace KeePassHTTP, as KeePassHTTP’s protocol has fundamental security problems.

The developers provide the browser extension on

Support for Firefox and Chromium forks is available. For librewolfAUR, open KeePassXC, go to Tools > Settings > Browser Integration > Advanced > Config Location:, and add .

The source code and an explanation how it works can be found on GitHub, the KeePassXC developers provide a configuration guide on their website.

keepassxc-browser for KeePass

keepassxc-browser can also be used with KeePass through Keepass-natmsg Plugin from AUR () and is recommended as successor of KeePassHTTP.

KeePassRPC and Kee

Kee (GitHub repo) is a browser extension for Firefox and Chromium which integrates KeePass through KeePassRPC, a KeePass plugin from the same developers.

The KeePass plugin is available from GitHub or from the AUR ().

The browser extension can be found on GitHub, Firefox Add-ons and the chrome web store.

Via autotype feature

An alternative to having a direct channel between browser and KeePass(XC) is using the autotype feature. There are browser extensions which support this way by putting the page URL into the window name:

Nextcloud

Open Keepass stores inside Nextcloud

Yubikey

YubiKey can be integrated with KeePass thanks to contributors of KeePass plugins. KeepassXC provides built-in support for Yubikey Challenge-Response without plugins.

Configuration with KeePass

  1. StaticPassword
    Configure one of Yubikey slots to store static password. You can make the password as strong as 65 characters (64 characters with leading "!"). This password can then be used as master password for your KeePass database.
  2. one-time passwords (OATH-HOTP)
    1. Download plugin from KeePass website: https://keepass.info/plugins.html#otpkeyprov
    2. Use to setup OATH-HOTP
    3. In advanced mode untick OATH Token Identifier
    4. In KeePass additional option will show up under Key file / provider called One-Time Passwords (OATH HOTP)
    5. Copy secret, key length (6 or 8), and counter (in Yubikey personalization GUI this parameter is called Moving Factor Seed)
    6. You may need to setup Look-ahead count option to something greater than 0, please see this thread for more information
    7. See this video for more help
  3. Challenge-Response (HMAC-SHA1)
    1. Get the plugin from AUR:
    2. In KeePass additional option will show up under Key file / provider called Yubikey challenge-response
    3. Plugin assumes slot 2 is used

SSH agent

KeePassXC offers SSH agent support, a similar feature is also available for KeePass using the KeeAgent plugin.

The feature allows to store SSH keys in KeePass databases, KeePassXC/KeeAgent acts as OpenSSH Client and dynamically adds and removes the key to the Agent.

The feature in KeePassXC is documented in its FAQ.

Secret Service

KeePassXC contains a Freedesktop.org Secret Service integration. When enabled other programs can save secrets inside KeePassXC. While this improves overall security, it can lead to some unwanted behaviour while KeePassXC is closed, as programs that rely on their secrets to work cannot fetch them.

Tips and tricks

Disable your clipboard manager

If you are an avid user of clipboard managers, you may need to disable your clipboard manager before you launch Keepass and then re-start your clipboard manager afterwards.

KeePassXC implementations has the option to auto-clear the clipboard manager after an amount of time, enough to paste copied items.

Dark theme

To enable the dark theme for KeePass, install . After installation, the plugin will get compiled upon starting KeePass. It can then be activated via , or by pressing .

Troubleshooting

User interface scaling issues with KeePassXC 2.6

If the user interface elements are not scaled properly, see HiDPI#Qt 5 and upstream bug report.

gollark: We had one, but it was postponed due to you slightly reducing badness below the threshold.
gollark: 5, technically.
gollark: Unless you mean Esolangs 3 or heavserver.
gollark: Wasn't me.
gollark: I split it up to do as much as possible in parallel and then stuck a simple dependency resolution thing on.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.