DEV Community

loading...

Switching to KeePass and Syncthing for password management

rusty_sys_dev profile image Scott ・3 min read

I have wanted to become more secure with how I have handled my password management for a while now. Before now, I had been using Firefox Lockwise, which is an amazing free service, by a similarly amazing company dedicated to OSS... That being said, I wanted a solution that I owned, where my passwords are only ever stored on my devices.

When it comes to password security and open source. KeePass tends to be the name you hear, and so I decided on that. Using KeePass means that I own the db. It also means that I had to find a way of syncing that db between devices...

My requirements:

  • Wholly self owned solution to sync my KeePass db file between multiple machines
  • Sync/Recieve from anywhere
  • Little to no maintenance
  • Secure

Research/Thought Process:

  • A quick online search recommends using a service like Dropbox, or Google Drive.
    • I dismissed this, because it was a centralized service out of my control. If I was ok with that I might as well have stayed with Firefox Lockwise.
  • I thought about a cron based rsync solution...
    • I dismissed this pretty quickly as there were too many logistical dependencies, and I couldn't find a way to make it work with a locked Android device.
  • I considered setting up my own NextCloud (or similar) service...
    • I dismissed this because it was too much work from a security/maintenance standpoint, and would cost money to deploy
  • Decided on Syncthing!

Syncthing

I found Syncthing while searching for Nextcloud/alternatives and initially dismissed it, but came back to it after dissatisfaction with NextCloud/alternatives.

Syncthing in a nutshell

  • Encrypts all traffic by default
  • Monitors folders registered to Syncthing
  • Notifies relay when changes occur
  • Registers remote devices by device-id
  • Assigns devices to folders
  • Detects changes via relay
  • Connects directly to devices via a relay
  • Uploads or downloads directly to remote devices

Installation on Fedora

sudo dnf install syncthing

Start the Fedora Instance

systemctl --user enable syncthing
systemctl --user start syncthing

Installation Android

  • Install via the Google Play Store, link available here.

Get your Device IDs

Android

  1. Open the app
  2. Click on the and click Show Device ID record the ID

Fedora

  1. Open localhost:8384 in your browser
  2. Click Actions, then Show ID, record the ID

Configure Devices

Android

  1. From the main screen click on the Devices tab, then on the in the top right
  2. Input the Fedora system's Device ID and add a Name, tap to save

Fedora

  1. Click the Add Remote Device button under the Remote Devices heading.
  2. Input the Android Device ID and add a Name, then click Save

Adding Shared Folders

Android

  1. From the main screen click on the Folders tab, then on the in the top right
  2. Fill in the 🏷️ Folder Label, 🔑 Folder ID, and 📁 Directory. Remember your 🔑 Folder ID.
  3. Tap to enable the slider for your Fedora device name.
  4. Tap to save

Fedora

  1. Under the Folders section, select Add Folder
  2. Fill in Folder Label, Folder ID, and Folder Path, where Folder ID is the same as the 🔑 Folder ID on Android.
  3. Click the Sharing tab, and add a to your Android device name.
  4. Click Save

Once both devices configurations have been saved, I placed my kdb file in the Folder Path on my Fedora installation, and watched it synced to the opposite device within short order.

Notable Issues

  • The .stfolder directory on my phone tends to be be deleted on restart causing an error. Creating an empty .stfolder in your sync directory seems to fix this.
  • Modifying the same file from two different devices at the same time will result in conflicts. Conflicts result in a loss of the oldest of the two changes. ( the conflicting version still exists but is not automatically merged )

Conclusion

By switching to Keepass, and Syncthing I am able to securely sync my password database between my devices without ever storing it on a third-party server. If I could just figure out the issue with the .stfolder on android mysteriously disappearing I would be completely satisfied.

Please feel free to leave any questions or concerns in the comments!

Discussion

pic
Editor guide
Collapse
tvmanus profile image
tvmanus

I've been using KeePass with GDrive sync and Ybikey for a while, so this proposed setup is a nice option. I would also clarify the root cause of the simultaneous editing issue. The KeePass file is handled in the local application and encrypted by itself, which means that external sync process has no way to know how to merge two versions.
Multi-user KeePass uses file system locking mechanism, only the first user would be able to edit the file, while all other users would be able to open the database in read-only mode. There is a mechanism of triggers built into KeePass, would be nice to make use of them in order to resolve conflicts and merge databases automatically, I have no idea how, but maybe someone can share good ideas.

The advantage of the sync method is that the user can have all the passwords locally and offline. For example I use a lot of encrypted files with unique passwords and being unable to access them while not connected to some kind of online (even self-hosted) password manager would be a big downside.

Collapse
rusty_sys_dev profile image
Scott Author

Thanks for your comment!

True, I suppose the encryption would hinder the merge process, although that gave me an idea! You mentioned the KeePass Triggers/API, I wonder if those could be used in order to produce a custom merge plugin for Syncthing (if such a thing exists) that could diff the KeePass DB file after unlocking it via some kind of initialized authentication.

For example, when you login to your account on your OS (start Syncthing on android) systemctl startup command brings up an authentication window to input your KeePass DB password. Upon entering the password it will have the ability to merge changes when a new version comes from Syncthing.

I have some searching to do!