I just use Syncthing and sync the one keepass file between my laptop, desktop, phone, tablet and server. Too easy. Always available
this post was submitted on 28 Jan 2025
46 points (96.0% liked)
Privacy
33115 readers
1126 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
I do the same thing but with nextcloud.
Well, I guess with so many people recommending syncthing, I'll have to look at it as well.
I'm using sftp in Keepass2Android to sync the file while I'm at home. When I'm not at home, it uses the local copy on the phone.
When the password file has changed on my home server and on the phone, Keepass2Android will ask if it should merge the databases. I'm not sure what Syncthing would do in that situation.
On my computer, I usually have KeePassXC unlocked for the entirety of being logged in.
Honestly, it sounds like you can solve the issue by only logging in when you need a password and setting the database to lock when minimised or your screen locks.
Now I know that makes using it more annoying but you can enable quick unlock so after your first login of the day you only have to use a pin or to unlock the database.
Is it possible to enable PIN on desktop? I can't find that option.
Just use multiple database files (e.g. one for unimportant, one for important) and automate the syncing with syncthing or something so the lazy doesn't matter...
So what you want to do, effectively, is to have different security requirements for different accounts. Correct? And all in the same file.
For now I just want to get a few things out of the way:
- with this strategy, what are you protecting against?
- how likely is this to happen?
- what is your contingency plan?
I believe its good to have different levels of security for different things, but you also have to understand at what cost you need it.
I can propose a different thing altogether: for the very important passwords, like banks and such, use the pepper method. This means, you have on your password manager part of your password, and a small portion is something you know. Example: generate a 25 chars password, and have at the beginning or end, more 5 chars that you know (can be letters and numbers, and can be something you remember every day, like the first letters of your address plus house number).
With this approach, there are a couple of benefits:
- you can still have computacionaly heavy passwords
- if an attacker gets a hold of your open vault and try to login, it will fail since the password is effectively not complete
Biggest downside I see is remembering the pepper always. And make sure is not written anywhere. And of course, yo can always argue it is possible at some point to get the correct password with the base password known. But at this point, thus should give you enough time to change it and thwart the attack. Remember: there is no perfect security solution, only sufficiently good ones that can be usable and effective.
This is not what you asked but I use bitwarden for unimportant passwords and keypass for important ones. I actually keep the keybase database on an external drive that I only plug in when I use it.
KeePassXC has an option for shared database.
https://keepassxc.org/docs/KeePassXC_UserGuide#_database_sharing_with_keeshare
Most methods for syncing a file also let you sync a whole directory of files (for example syncthing).
So if your main issue is keeping them on sync across devices, keep different kdbx files in the same directory and sync that.
However, I've found that switching between databases is not very convenient with most keepass clients. So I tend to only keep separate files when the context is really different and I won't need to be switching back and forth (eg. personal vs work).
So I'd like to split my passwords file into multiple "files", where the unimportant logins are permanently unlocked for convenience, while the more sensitive login credentials remain encrypted until I actually need them.
And how should that protect you against an attack that has compromised your system? If the system is compromised, then an additional lock does not hinder the attacker to wait until you open it.
The idea is that I'd recognize a compromised system. Not perfect, but good enough. I don't need to log into my bank account every day. But I will log into lemmy daily. So if a credential stealer + encrypter gets onto my system, I will most likely not have my sensitive passwords stolen. If the malware keeps a low profile, this won't help, but most malware won't.
You could make the syncing automated with syncthing for example.
I don't think KeePassXC will do exactly what you want to do.
Like, you'd want one database to have an Unimportant Passwords group and an Important Passwords group, with the Important Passwords group having an additional password. It doesn't seem to want to do that.
If I were you, I would leave KeePassXC locked until you need it for anything.
If you do decide to keep two KeePass database files, or hell even if you only keep one, I recommend using something like Syncthing to sync them across multiple devices.
Syncthing has been discontinued for android. Or so I heard.
From the Play Store, it's available on F-Droid.
The official Syncthing app is no longer on F-Droid either. Syncthing-Fork is and will continue to be supported.
How about a cheaper and easier solution? Get a fingerprint sensor, use this one to unlock the database each time you use it. Fast, comfortable, secure. Got mine directly beside the keyboard.