KeePass

From ArchWiki
Jump to: navigation, search

KeePass is an encrypted password database format. It is an alternative to online password managers and is supported on all major platforms.

There are two versions of the format: KeePass 1.x (Classic) and KeePass 2.x

Installation

There are three major implementations of KeePass, which are all available in the official repositories:

  • KeePass — A cross-platform password manager that has autotype and clipboard support when respectively xdotool and xsel are installed. It lets you import many formats and has many plugins.
http://keepass.info || keepass
  • KeePassX — Started as a Linux port of KeePass. keepassx2 uses the KeePass 2.x format, but can import 1.x databases. It also lets you import PwManager and KWallet XML databases. It does not support plugins. [1].
https://www.keepassx.org/ || keepassx keepassx2
  • KeePassXC — Fork of KeePassX that aims to incorporate stalled pull requests, that are not being incorporated into KeePassX.
https://keepassxc.org || keepassxc

Other lesser-known alternatives can be found in the AUR:

  • keepassc — A curses-based password manager compatible to KeePass v.1.x and KeePassX. It uses xsel for clipboard functions.
https://raymontag.github.io/keepassc/ || keepasscAUR
  • kpcli — A command line interface for KeePassX database files *.kdb.
https://sourceforge.net/projects/kpcli/ || kpcliAUR
  • keeweb — A web app (online / Electron) compatible with KeePass 2.x.
https://keeweb.info || keeweb-desktopAUR nextcloud-app-keewebAUR

Integration

Many plugins and extensions are available for integrating KeePass to other software.

Plugin Installation

KeePass is by default, installed at /usr/share/keepass/. Copy plugin.plgx to a plugins sub-directory under the KeePass installation directory as demonstrated below:

# mkdir /usr/share/keepass/plugins
# cp plugin.plgx /usr/share/keepass/plugins
Note: KeePassX does not support plugins on its master branch (at the moment of writing KeePassX version is 0.4.4 and KeePassX2 version is 2.0.2). An alternative is to use global autotype feature. If plugins are absolutely necessary, keepassxc supports KeepassHTTP protocol. Thus, it allows integration through browser addons such as ChromeIPass and PassIFox.
Warning: Upstream strongly advises to disable KeePassHTTP because of security issues. For more information see, pfn/keepasshttp/issues and keepassxreboot/keepassxc/issues.
Note: To mitigate the impact of the KeePassHTTP flaw, KeePassXC has issued a hotfix as of version 2.1.1. Some users consider the improvement good enough (1, 2) for practical purposes, as long as the system is not compromised. However, as there is still some risk involved, KeePassHTTP support is no longer enabled by default in KeePassXC.

Firefox

Firefox extension that links the browser to existing or new KeePass database. KeeFox needs to be setup before it is fully functional.
Extension allowing Firefox to form-fill passwords stored in KeePass.
Modifies window title to assist autotype feature.

Chrome/Chromium

Extension allowing Google Chrome and Chromium to form-fill passwords stored in KeePass.
Modifies window title to assist autotype feature. Similar to KeePass Helper for Firefox in function.

Nextcloud

Open Keepass stores inside Nextcloud

Yubikey

Yubikey can be integrated with KeePass thanks to contributors of KeePass plugins.

  1. StaticPassword
    Configure one of Yubikey slots to store static password. You can make the password as strong as 65 characters (64 characters with leading `!`). This password can then be used as master password for your KeePass database.
  2. one-time passwords (OATH-HOTP)
    1. Download plugin from KeePass website: http://keepass.info/plugins.html#otpkeyprov
    2. Use yubikey-personalization-gui-gitAUR to setup OATH-HOTP
    3. In advanced mode untick `OATH Token Identifier`
    4. In KeePass additional option will show up under `Key file / provider` called `One-Time Passwords (OATH HOTP)
    5. Copy secret, key length (6 or 8), and counter (in Yubikey personalization GUI this parameter is called `Moving Factor Seed`)
    6. You may need to setup `Look-ahead count` option to something greater than 0, please see thread for more information
    7. See video for more help
  3. Challenge-Response (HMAC-SHA1)
    1. Get the plugin from AUR: keepass-plugin-keechallengeAUR
    2. In KeePass additional option will show up under `Key file / provider` called `Yubikey challenge-response`
    3. Plugin assumes slot 2 is used

Tips and tricks

Disable your clipboard manager

If you are an avid user of clipboard managers, you can may need to disable your clipboard manager before you launch keepass and then re-start your clipboard manager afterward.

See Also