KeePass

KeePass is an offline encrypted password database format. It is an alternative to popular online password managers and is supported on all major distributions and other OS platforms.

Currently, there are two variants of the database formats: KeePass 1.x (Classic) and KeePass 2.x

Installation

There are three major implementations of KeePass, which are included in official repositories:

  • KeePass — An easy-to-use password manager for Windows, Linux, Mac OS X and mobile devices. It also has optional autotype and clipboard support respectively when xdotool and xsel are installed. Supports importing from many formats. Has many plugins.
http://keepass.info || keepass
http://www.keepassx.org/ || keepassx keepassx2
  • KeepassXC — Fork of KeePassX that aims to incorporate stalled Pull Requests, features, and bug fixes that are not being incorporated into the main KeePassX baseline.
https://keepassxc.org || keepassxc

Other lesser known implementations are found in the AUR:

  • keepassc — A curses-based password manager compatible to KeePass v.1.x and KeePassX. It also uses xsel for clipboard functions.
https://raymontag.github.com/keepassc || keepasscAUR
  • kpcli — A command line browser of KeePassX database files *.kdb.
http://sourceforge.net/projects/kpcli/ || kpcliAUR
  • keeweb — A desktop webapp compatible to KeePass 2.x.
https://keeweb.info || keeweb-desktopAUR nextcloud-app-keewebAUR

Integration

Many plugins and extensions are available for integrating KeePass to other software.

Plugin Installation

KeePass is by default, installed at /usr/share/keepass/. Copy plugin.plgx to a plugins sub-directory under the KeePass installation directory as demonstrated below:

# mkdir /usr/share/keepass/plugins
# cp plugin.plgx /usr/share/keepass/plugins
Note: KeePassX does not support plugins on its master branch (at the moment of writing KeePassX version is 0.4.4 and KeePassX2 version is 2.0.2). An alternative is to use global autotype feature. If plugins are absolutely necessary, keepassxc supports KeepassHTTP protocol. Thus, it allows integration through browser addons such as ChromeIPass and PassIFox.
Warning: Upstream strongly advises to disable KeePassHTTP because of security issues. For more information see, pfn/keepasshttp/issues and keepassxreboot/keepassxc/issues.

Firefox

Firefox extension that links the browser to existing or new KeePass database. KeeFox needs to be setup before it is fully functional.

Extension allowing Firefox to form-fill passwords stored in KeePass.

Modifies window title to assist autotype feature.

Chrome/Chromium

Extension allowing Google Chrome and Chromium to form-fill passwords stored in KeePass.

Modifies window title to assist autotype feature. Similar to KeePass Helper for Firefox in function.

Nextcloud

Open Keepass stores inside Nextcloud

Yubikey

Yubikey can be integrated with KeePass thanks to contributors of KeePass plugins.

  1. StaticPassword
    Configure one of Yubikey slots to store static password. You can make the password as strong as 65 characters (64 characters with leading `!`). This password can then be used as master password for your KeePass database.
  2. one-time passwords (OATH-HOTP)
    1. Download plugin from KeePass website: http://keepass.info/plugins.html#otpkeyprov
    2. Use yubikey-personalization-gui-gitAUR to setup OATH-HOTP
    3. In advanced mode untick `OATH Token Identifier`
    4. In KeePass additional option will show up under `Key file / provider` called `One-Time Passwords (OATH HOTP)
    5. Copy secret, key length (6 or 8), and counter (in Yubikey personalization GUI this parameter is called `Moving Factor Seed`)
    6. You may need to setup `Look-ahead count` option to something greater than 0, please see thread for more information
    7. See video for more help
  3. Challenge-Response (HMAC-SHA1)
    1. Get the plugin from AUR: keepass-plugin-keechallengeAUR
    2. In KeePass additional option will show up under `Key file / provider` called `Yubikey challenge-response`
    3. Plugin assumes slot 2 is used

See Also