Password vaults and how to securely store them

Question: if you have machines, located in several locations, and you use keepass as your password manager, how would you go about in making that keepass vault available to all machines and updated in real time?
For the moment, i use thumb drives. It has its problems. When i forget the drive, i don’t have my vault with me.
I’ve been looking at online storage, but that presents the problem that the data isn’t in your possession.
How would you go about this?

Syncthing would be a good option I think. You could share a folder with the keepass database between devices at home and it will keep everything in sync. I don’t know how secure it is if you intend to use it outside of the local network, but iirc there’s Syncthing relays through which you don’t need to open ports your router to expose your Syncthing, and anyhow it only syncs between devices you manually link up and confirm on both ends. Haven’t tried it over WAN yet though, I’m keeping it in my local network.

2 Likes

Hey @marvkal, thanks for the info.
I’ll go and have a look at that.
Edit: i had a quick look at syncthing and it looks promising. I’ll give it a go this weekend and report back.

I’m not sure how keepass works (I would keep all the info in a text file which was encripted by gpg). Either way, then I would setup a crontab entry to stat the file about every 30 minutes. Check the result against a stored result of the prior check. If there is a difference, secure copy (scp) the file to the various locations.

stat --format "%Y" my_info.txt.gpg

let me know if you need this unpacked more.

Maybe you can use an online service like bitwarden and secure it with a hardware key?

I know you forget your thumbdrive but unlocking the database shouldnt take long to plug and unplug for you to forget. Maybe put it with a secure string/wire hooked to your pants or something.


Either try above or use Syncthing. It works fine, albeit slow over the internet. Do consider this if you have a giant keepass DB.

Also dont forget to enable version copies on your Syncthing. Keep about more than 5 versions of it so if 1 copy gets corrupted somehow, you get backup copies. Also keep an air gapped copy just in case.

Thanks for the help and suggestion.
The how / what / where: https://en.wikipedia.org/wiki/KeePass
I’m running KeepassX, but there are only slight differences.
I love this and have been using it for years. I has never failed me.
I haven’t had the time yet to have a look at either Syncthing or a crontab entry, but am planning to do so in the upcoming week. :worried:

1 Like

I could go the BitWarden route, but i’m having trouble with trust. Can you trust them with all your passwords. Essentially, they hold the keys to your life. I’m paranoid about these things, i know, but still.
I feel betterif i have control over where the vaults are and how they are being transported etc.
Thank you for the tips regarding Syncthing. The vaults aren’t that big, so it shouldn’t take all that long, i guess.
The airgapped copy is already in place. :grinning:
I’ll know more next week.

FYI, when it comes to security, I always gravitate back to this guy whom I consider to be a significant voice of authority and experience in the industry. I hit the search on past episodes and turned up his recent revisit of password managers:

2 Likes

Indeed, i’ve found him also some time ago and have been a fan ever since. It was after listening to his podcast, that i made the switch to leave Gmail etc…
Thank you for the info, i haven’t heard this episode yet, but i shall very soon.

@MarkofCain i’ve listened to the episode and it seems i’m on the right track.
Like i said in the topic started by @snorlax, i’ve setup Syncthing across multiple devices and deployed a veracrypt container which holds the keepass vault.
Problem solved.
Offline backups too ofcourse.

1 Like

Use Bitwarden instead :smiley: https://bitwarden.com/dln

by the way, this is not a snarky joke about just use Bitwarden because it is a sponsor of DLN but also because this is one of the fundamental reasons why KeePass and all of the forks are not worth using in my opinion. Bitwarden solves all of the issues with KeePass (and forks) while also adding a bunch of other benefits. I would have also said this a year ago when they werent a sponsor too because its just a much better option in my opinion

I trust Bitwarden because they open sourced their code and also have it audited on a regular basis. This is not a frontend open source either, its a full open source which also means yes, you can self-host Bitwarden if you want to.

As for the data on their servers if you don’t self-host. They encrypt the data locally with your passkey so the thing they store is encrypted gibberish not actual data. This way the only person who can view your data is you or well I guess anyone else that has your passkey.

3 Likes

FYI, Michael Bazzell suggests Bitwarden with a hardware YubiKey for anyone who wants roaming password access.

2 Likes

Thank you @MichaelTunnell and @MarkofCain for the usefull tips.
Right now, everything is going fine via Syncthing, but i’ll go and have a look at Bitwarden + Yubikey.

To self host you have to acquire a host key, which they use to (among other things) Validate licensing of paid features.

I believe this is also a requirement for bitwarden-rt which is the community rewrite of the Bitwarden server in Rust. And I agree that $10 per year isn’t much, but one of my personal reasons to self host would be the financial savings (aka first trying features out, like integrated TOTP codes). Again the savings aren’t much, but on an other note: how would I be guaranteed that the premium features would still work if Bitwarden, Inc. would go belly-up?

So I’m in the position to go back to KeePass(DX) :smirk:

1 Like