[Guide] Locally Syncronized Password Management with KeePass XC/DX + Syncthing

Lets get things out of the way first. I do not work within the tech industry, I am just a regular tech enthusiast. I have also used only one other password manager previously (Dashlane). This current technique seems to work well for me and my use case for now and I have no need for other features as this time. Now, you can use Bitwarden to simplify all this. But it runs on the cloud and personally, I distrust the cloud in general because they give the impression that you are in control, when in fact you really do not know if you are in control. I also do not have any running servers that run/test a local copy of Bitwarden.

Basic internet hygiene these days requires us to use unique emails/logins and unique passwords for EVERY ONLINE ACCOUNTS that you have. Because I swear, almost every week, we hear of major breaches left and right, nevermind the small-ish leaks by minor internet companies that happens all the time. Simply put: If you are recycling account names and passwords on the internet, you are doing it wrong. It would leave you open to phishing, account theft/hijacking, etc.

With that, lets get to the things we need in this system:

  1. Email - ProtonMail/Tutanota/RiseUp/Disroot/etc… something that is hopefully, not Google or Yahoo
  2. KeePass XC - For your PC password management
  3. KeePass DX - For your mobile password management
  4. Syncthing - Local file synchronization (may be optional. I suggest that you install and use it as well). No iOS support at this time. Apologies, this may work with other file-sync services.
  5. Disposable Email Aliases (optional) - 33mail is what I use to funnel all miscellaneous accounts into.

First things first: Set-up a new email account/s from any of the privacy respecting services like listed above. Your choice of mail providers may vary depending on your needs. If you have no idea where to start, you may use https://www.privacytools.io/classic/#email as a starter referrence.

Do set-up more than one email account! One to segregate/isolate emails for giving out to financial institution/s and another for general use. These will be your new email accounts. Choose a different username from the one you have over at Google Mail. Bonus points if you do enable 2 factor authentication for all new email accounts.

Now comes the tedious part: Try to recall/find all the accounts you registered under your old emails. Do a search with the keyword “accounts” and “registration” to filter the emails you have. I was lucky in that I had the habit to move all new registration emails to a separate folder in my email accounts. Coming from Dashlane, I cheated and used a feature where Dashlane scans your email accounts to look for accounts used to register into various online services. Looking back, it was not wise to let a 3rd party scan your personal emails, especially if they are hosted on one of the the Five Eyes nations (or Fourteen+ Eyes).

Start KeePass XC - Save a new KeePassXC database file in your computer and remember where it is. Use a reasonably secure password/passphrase for it THAT YOU CAN REMEMBER. The security of the whole technique depends on this. Passwords vs passphrases may be up for debate and I will leave that to your decision. Put a new entry for every email/account you have previously in this program and write down their corresponding password. Now go clear your browser history. Hopefully you are using Firefox. CTRL+SHIFT+DEL. Check all boxes, set time range to clear - Everything. The rule is, if you login and use a service, go change the password, username (when possible) and email.

For the password, use the password generator (Dice Icon) feature of KeePass XC. 50+ characters would be reasonable enough for me. Feel free to increase the length to your hearts desire (or up to the server’s limit).

There are usability limitations to consider. There have been instances where I had to manually type the password in my mobile device and this was a painful experience to say the least especially for long passwords. This is why it may be wise to use the “Exclude look-alike characters” under the advanced button. I also do not include the extended ASCII because I do not know how to type them manually when the need arises. Both of these would decrease the entropy of your password but if you are running more than 50 characters, this may not matter much (feel free to correct me if I am wrong).

For the username, I now utilize the generate passphrase function of KeePass XC, I set it to 2-3 words and use what comes out. Most of the time I am picky and choose what sounds fun so I press generate several times and choose to my whims. For this account, i am “astronaut supplier” and that came out of the generator as well.

For the email I recommend to use 33mail to generate aliases and do forwarding to your “general usage” email. so that you can block off spammy accounts. Instead of registering several free Protonmail accounts (which by the way, you cannot do easily) So go register at 33Mail.com

It works like this: Lets say I sign up for destinationlinux.network. The email I would use for that may be dlnusername@myaccountname.33mail.com instead of your actual general usage email. From this point on, ALL new accounts should be made this way to make it unique and isolated.

You can install KeePass DX for your android phone via F-Droid and it can open the same KeePass XC database for your mobile usage. Now, ideally you retype your whole password/passphrase each time you open the database to keep it secure but for the DX fork of KeePass, it has the option to store your fingerprint as the key for your password/passphrase. Whether using this feature is wise, I leave it to your discretion/threat model.

We can end this here and now and use a usb wire to connect and transfer the keepass database files to your cellphone as needed. But since that is tedious and can wear out your USB wire and/or ports, I suggest strongly that you use Syncthing to synchronize it all. I use it to synchronize important stuff between my computers and LineageOS/Android cellphone. One of those files I synchronize is my KeePassXC database file. Add your mobile device/s to syncthing. Make the synced folder in your mobile device, make the synced folder somewhere in your home directory. Let them use the same folder ID. Set versioning to whatever you want. You may need this in the future. I have set mine to simple versioning with 5 copies. you can see the old copies inside the hidden .stversions directory in your synced folder.

And thats it. You now have a locally synchronized password management system without utilizing the cloud. A few notes however, it might not be wise to have your 2FA device and your password manager in the same device, particularly if you are using the same cellphone as your 2nd authentication. Ideally this should be a “Wifi-only device” like a tablet (with no cellular capability of any sort) or an iPod Touch.