Managing credentials with KeePassXC

A previous article discussed password management tools that use server-side technology. These tools are very interesting and suitable for a cloud installation.
In this article we will talk about KeePassXC, a simple multi-platform open source software that uses a local file as a database.
The main advantage of this type of password management is simplicity. No server-side technology expertise is required and can therefore be used by any type of user.

Introducing KeePassXC

KeePassXC is an open source cross platform password manager: its development started as a fork of KeePassX, a good product but with a not very active development. It saves the secrets in an encrypted database with AES algorithm using 256 bit key, this makes it reasonably safe to save the database in a cloud drive storage such as pCloud or Dropbox.

In addition to the passwords, KeePassXC allows you to save various information and attachments in the encrypted wallet. It also has a valid password generator that helps the user to correctly manage his credentials.

Installation

The program is available both in the standard Fedora repository and in the Flathub repository. Unfortunately the integration with the browser does not work with the application running in the sandbox, so I suggest to install the program via dnf:


sudo dnf install keepassxc

Creating your wallet

To create a new database there are two important steps:

  • Choose the encryption settings: the default settings are reasonably safe, increasing the transform rounds also increases the decryption time.
  • Choose the master key and additional protections: the master key must be easy to remember (if you lose it your wallet is lost!) but strong enough, a passphrase with at least 4 random words can be a good choice. As additional protection you can choose a key file (remember: you must always have it available otherwise you cannot open the wallet) and / or a YubiKey hardware key.

The database file will be saved to the file system. If you want to share with other computers / devices you can save it on a USB key or in a cloud storage like pCloud or Dropbox. Of course, if you choose a cloud storage, a particularly strong master password is recommended, better if accompanied by additional protection.

Creating your first entry

Once the database has been created, you can start creating your first entry. For a web login specify a username, password and url in the Entry tab. Optionally you can specify an expiration date for the credentials based on your personal policy: also by pressing the button on the right the favicon of the site is downloaded and associated as an icon of the entry, this is a nice feature.

KeePassXC also offers a good password / passphrase generator, you can choose length and complexity and check the degree of resistance to a brute force attack:

Browser integration

KeePassXC has an extension available for all major browsers. The extension allows you to fill in the login information for all the entries whose URL is specified.

Browser integration must be enabled on KeePassXC (Tools menu -> Settings) specifying which browsers you intend to use:

Once the extension is installed, it is necessary to create a connection with the database. To do this, press the extension button and then the Connect button: if the database is open and unlocked the extension will create an association key and save it in the database, the key is unique to the browser so I suggest naming it appropriately :

When you reach the login page specified in the Url field and the database is unlocked, the extension will offer you all the credentials you have associated with that page:

In this way, browsing with KeePassXC running you will have your internet credentials available without necessarily saving them in the browser.

SSH agent integration

Another interesting feature of KeePassXC is the integration with SSH. If you have ssh-agent running KeePassXC is able to interact and add the ssh keys that you have uploaded as attachments to your entries.

First of all in the general settings (Tools menu -> Settings) you have to enable the ssh agent and restart the program:

At this point it is required to upload your ssh key pair as an attachment to your entry. Then in the “SSH agent” tab select the private key in the attachment drop-down list, the public key will be populated automatically. Don’t forget to select the two checkboxes above to allow the key to be added to the agent when the database is opened / unlocked and removed when the database is closed / locked:

Now with the database open and unlocked you can log in ssh using the keys saved in your wallet.

The only limitation is in the maximum number of keys that can be added to the agent: ssh servers do not accept by default more than 5 login attempts, for security reasons it is not recommended to increase this value.

Using Software

22 Comments

  1. In your ssh config, you can specify a public key for the IdentityFile option instead of the private key.

    If you have tons of keys in your agent, that gets around the 5 key limitation as specifying the public key works quite well with the agent.

    Try it with ssh -vv. It will be the first key tried.

    • Johannes

      Exactly. I think you could also add

      Hosts *
      IdentitiesOnly yes

      to your ~/.ssh/config file to work around the maximum keys limitation

  2. Patrick

    Thanks for this article. Typo: Ubikey -> Yubikey
    Besides a Yubikey you can also use a Nitrokey.

  3. Joshua

    KeePassXC challenge-response will also support the OnlyKey in version 2.5, which gives you reliable (not time based) MFA for your password database.

  4. Walter

    A bit offtopic, but anyway…
    I have about 100 logins/passwords saved in Firefox and am not willing to re-enter them into the keepassxc-database.
    Is it possible to import them right from key4.db file ?
    I failed to export the passwords from Firefox with pw-exporter or the like.

  5. Spurdo

    Can you recommend an iPhone app to read keepassxc containers?

  6. hammerhead corvette

    KeePassXC has been a blessing for me. I came over to Linux some years ago with a password file in a crypt of my own making (Lol). The Auto Type feature is good, and i typically save my db’s to Mega and sync them across several devices. All you have to do is close you db, mount the new one and you are good to go ! The browser implementation is great. Some sites require me to occasionally Redetect login fields but that is one click away.

  7. Nathan D

    I was using Keepassx and Keepassxc for years. I just switched to Buttercup.pw to try it out.

    It’s worth a check for anyone interested in a password management tool. You can import from Keepassx without issues too.

  8. Max

    I believe that with KeePassXC you have a more flexible design of your security level. Having the database in an airgapped vm, a file in your dropbox for your phone, mac, Linux, windows needs, etc.

    It’s all about choice. And maybe KeePassXC wil come for iPhone one day. that’s the only thing needed.

    I decided to use, for password manager, the test repository, because I’d rather have the app not working, instead of having a security issue. But that’s just me 🙂

    https://www.militant.dk/2019/06/10/keepassxc-2-4-2-on-fedora-30/

    Sincerely
    Max

  9. Serge Meeuwsen

    Nice overview and I would love to migrate back to keepassXC and use the YubiKey; The only thing holding me back is the fact that there doesn’t seem to be an Android / iOS version of keepassXC supporting the Yubikey as well…

  10. Krzysztof

    What’s the advantage of using KeePass over saving passwords in Firefox? Firefox password just works on any device set up with Firefox Sync. For KeyPass I have to set it up on all devices (including Dropbox for storing the password database file)

    • FOOBAZ

      I second this, plus Firefox Lockwise works great on my android phone, I can unlock and autofill passwords in different apps using its fingerprint sensor.

    • The main advantage is, that you can also use Keepass for storing non browser related credentials like the mentioned ssh keys or even credit card Pin numbers. Or for example login combinations for remote connections (RDP) or virtual machines.
      Also it is possible to store entire documents or files as attachments (like a scanned copy of your ID) inside the Keepass database.

  11. Kuba

    It supporting webdav or nextcloud sync?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: