KeePass
KeePass is an encrypted password database format. It is an alternative to online password managers and is supported on all major platforms.
There are two versions of the format: KeePass 1.x (Classic) and KeePass 2.x
Installation
There are three major implementations of KeePass, two are available in the official repositories:
-
KeePass — A cross-platform password manager that has autotype and clipboard support when respectively
xdotool
andxsel
are installed. It lets you import many formats and has many plugins.
- KeePassXC — Fork of KeePassX that is actively maintained and has additional features like browser integration, ssh agent support, yubikey support, a TOTP generator and KeeShare included. Also provides a CLI.
- KeePassX — Started as a Linux port of KeePass. keepassx2AUR uses the KeePass 2.x format, but can import 1.x databases. It also lets you import PwManager and KWallet XML databases. It does not support plugins. [1] No active development since 2016. [2]
- https://www.keepassx.org/ || keepassxAUR keepassx2AUR
Other lesser-known alternatives can be found in the AUR:
-
keepassc — A curses-based password manager compatible to KeePass v.1.x and KeePassX. It uses
xsel
for clipboard functions.
-
kpcli — A command line interface for KeePass database files
*.kdb
or*.kdbx
.
- keepmenu — Dmenu/Rofi frontend for Keepass database files.
- keeweb — A web app (online / Electron) compatible with KeePass 2.x. KeeWeb is the only version with default Sync support for major cloud services, Gdrive, Onedrive, Dropbox etc...
Integration
Many plugins and extensions are available for integrating KeePass to other software. KeePassX and KeePassXC do not have a plugin interface, but KeePassXC has various integrations built-in.
Plugin Installation in KeePass
KeePass is by default installed at /usr/share/keepass/
. Copy plugin.plgx
to a plugins sub-directory under the KeePass installation directory as demonstrated below:
# mkdir /usr/share/keepass/plugins # cp plugin.plgx /usr/share/keepass/plugins
Browser Integration
keepassxc-browser for KeepassXC
keepassxc-browser is the browser extension of KeePassXC’s built-in browser integration using native-messaging and transport encryption using libsodium. It was developed to replace KeePassHTTP, as KeePassHTTP’s protocol has fundamental security problems.
The developers provide the browser extension on
- Firefox Add-ons (for Firefox and Tor Browser) and
- in the chrome web store (for Chromium, Google Chrome, Vivaldi and Brave)
The source code and an explanation how it works can be found on GitHub, the KeePassXC developers provide a configuration guide on their website.
KeePassRPC / Kee
Kee (GitHub repo) is a browser extension for Firefox and Chromium which integrates KeePass through KeePassRPC, a KeePass plugin from the same developers.
The KeePass plugin is available from GitHub or from the AUR (keepass-plugin-rpcAUR).
The browser extension can be found on GitHub, Firefox Add-ons and the chrome web store.
KeePassHTTP for Keepass
The KeePassHTTP protocol uses a proprietary crypto protocol and is vulnerable to CBC padding oracle attacks. Also the key exchange is not encrypted and some implementations do not bind to localhost only. For more Information see [3], [4].
Due to these problems, KeePassHTTP should never be used remotely.
KeePassHTTP is available as plugin for KeePass. KeePassHTTP is not supported anymore in KeePassXC since version 2.4.0, keepassxc-browser is a secure replacement. KeePass users can use KeePassRPC as more secure alternative.
The Plugin can be found on GitHub and in the AUR (keepass-plugin-httpAUR, keepass-plugin-http-gitAUR). The KeePassHTTP GitHub repository has not seen any commits since 2017, the security flaws are known since 2016.
The browser extensions provided by the plugin developer, PassIFox and ChromeIPass, are currently (May 2019) not available on the respective Add-On-Stores.
There are alternative extensions available, e.g. KeePassHttp-Connector for Firefox and for Chromium/Chrome, but the corresponding GitHub repository is archived and marked deprecated.
via autotype feature
An alternative to having a direct channel between browser and KeePass(XC) is using the autotype feature. There are browser extensions which support this way by putting the page URL into the window name:
- KeePass Helper or TitleURL for Firefox
- Url in title for Chromium
Nextcloud
- Open Keepass stores inside Nextcloud
Yubikey
YubiKey can be integrated with KeePass thanks to contributors of KeePass plugins. KeepassXC provides built-in support for Yubikey Challenge-Response without plugins.
Configuration with KeePass
- StaticPassword
- Configure one of Yubikey slots to store static password. You can make the password as strong as 65 characters (64 characters with leading `!`). This password can then be used as master password for your KeePass database.
- one-time passwords (OATH-HOTP)
- Download plugin from KeePass website: http://keepass.info/plugins.html#otpkeyprov
- Use yubikey-personalization-gui-gitAUR to setup OATH-HOTP
- In advanced mode untick `OATH Token Identifier`
- In KeePass additional option will show up under `Key file / provider` called `One-Time Passwords (OATH HOTP)
- Copy secret, key length (6 or 8), and counter (in Yubikey personalization GUI this parameter is called `Moving Factor Seed`)
- You may need to setup `Look-ahead count` option to something greater than 0, please see thread for more information
- See video for more help
- Challenge-Response (HMAC-SHA1)
- Get the plugin from AUR: keepass-plugin-keechallengeAUR
- In KeePass additional option will show up under `Key file / provider` called `Yubikey challenge-response`
- Plugin assumes slot 2 is used
SSH Agent
KeePassXC offers SSH Agent support, a similar feature is also available for KeePass using the KeeAgent plugin.
The feature allows to store SSH keys in KeePass databases, KeePassXC/KeeAgent acts as OpenSSH Client and dynamically adds and removes the key to the Agent.
The feature in KeePassXC is documented in its FAQ.
ssh-add -d
or ssh-add -D
, therefore KeePassXC/KeeAgent cannot remove them when locking the database. [5] [6] Tips and tricks
Disable your clipboard manager
If you are an avid user of clipboard managers, you can may need to disable your clipboard manager before you launch keepass and then re-start your clipboard manager afterwards.