Working as a DevOps Engineer, or any other technical field requires working with a variety of credential types, and many forms.
From strong & secure passwords, two-factor authentication (TOTP), SSH keys, secret files, etc — Everything is easier with KeePassXC!
My use-cases
In my line of work I typically work with different and multiple clients simultaneously, therefore I have a lot of secrets to manage and use everyday. Here’s a list of a few of them:
- SSH Keys for on premise machines on a remote location.
- Password & TOTP for my GitHub account.
- Secret file (Containing AWS ACCESS KEY & AWS SECRET ACCESS KEY) for working with AWS through the terminal.
- Secret attachments.
- TOTP recovery codes.
And many more. Multiply that X times for X clients and it almost gets complicated. Why almost you ask? Because KeePassXC makes my life so much easier.
The Competition
Firstly, it’s important to acknowledge that there are great competitors and each has advantages and disadvantages, different popularity and plans.
To name a few:
- BitWarden
- VaultWarden
- Keeper
- 1Password
- KeePass
Why KeePassXC
I decided to go with keepassxc firstly because its free and open source (FOSS) which itself is a major plus for allowing for community feedback (and also criticism!), it’s free, it’s cross-platform (not precisely, more on that later on) so you could use it whether you current work laptop is running MacOS or linux, It offers SSH Integration, which means I never store SSH keys on my machine, and they “disappear” from my ssh-agent after a while.
I can attach any file I want to a specific entry, great browser integration and the ability to perform auto-typing. And most importantly — YubiKey support!
Under the hood — KDBX
KeePassXC currently uses the KeePass 2.x (.kdbx) password database formats KDBX 3.1 and KDBX 4 as its native file formats.
These files contain passwords in an encrypted database wherein they can only be viewed if the user set a master password and accessed them through that master password. KDBX files are useful when it comes to the secure storage of personal login credentials for email accounts, e-commerce sites, Windows, FTP sites and other purposes.
- Taken from reviversoft article.
Use Case example — SSH Integration
I won’t go over every step about using KeePassXC (Maybe on a different article, depending on popularity — let me know what you think), however I would provide a preview to using one of the best features of this manager — the SSH agent integration.
The Chicken 🐓 & The Egg 🥚
We’ve solved many of our issues regarding secrets managment using KeePassXC as the unified & centralised secrets manager, but how do we secure it ?
Following security best practices principles ,
“Something you know, something you have, and something you are.”
Opening our database would require:
- Strong Master Password — Something we know
- Access to the Database file — Something we have access to
- A hold of the Secret Key File — Something we have access to
- A hold of a Physical Hardware Key, our YubiKey — Something we are
We could debate whether or not YubiKey is something we are, however they do have a Biometric version, which will then cover all bases of this debate.
Cross-Platform — is that so?
Lately I’ve had to switch from an Android phone running /e/ to an Iphone running IOS. Searching for KeePassXC in the AppStore lead to no results. After a bit of research I’ve discovered there’s no official KeePassXC app for mobile phones at all, turns out I’ve been using KeePassDX (recommended) on my previous android phone! There are however recommendations for supported applications for both mobile platforms. Thanks to the beauty of FOSS there might be, but I guess I’ll go with KeePassium for my iphone device for now..
Coming up…
On the next chapter we will dive into Disaster Recovery and Sharing of KeePassXC across teams. Stay tuned for more!
