Setting up KeePassXC on Linux (with Cloud Synchronization)
Stay open-source, trust no one.
KeePassXC is one of the best open-source password management solutions out there. There are also plenty of great closed-source solutions, but if you’re using Linux and got to reading this article — you probably don’t need me telling you why open-source software has its advantages.
Installation
Downloading KeePassXC is easy enough, simply visit the download page and choose your preferred installation method. While you can use any one of the popular package managers, AppImage and Snap variations are available, so:
- If you simply want to try KeePassXC and are not committed to it enough to install it, the AppImage is a great option (more information on AppImages and how to use them).
- If you are installing it, I highly recommend using the provided Snap package (more information).
If you are new to Snap and you’re running an Ubuntu-based Linux distribution, you can run sudo apt install snapd
to enable Snap (for other distributions follow these instructions from ‘It’s FOSS’).
Once Snap is enabled, run sudo snap install keepassxc
to install KeePassXC.
Congratulations! You should now have the newest version of KeePassXC installed and ready to generate and manage your passwords for you.
If you did use Snap, there are a couple of things you should take care of in advance before you go ahead and update all of your passwords:
- To enable connection to the browser extension (Chrome Web Store, Firefox Add-ons), save this link (or the one right under the “Official Snap Package” link on the download page) to your computer and run it. Note that you will need to make the file executable; do so by running
sudo chmod +x </PATH/TO/SCRIPT/>keepassxc-snap-helper.sh
, or, if you absolutely can’t stand using the terminal (which you shouldn’t! Befriend your terminal!) right click on the file → Properties → Permissions → Allow executing file as program. - If you plan on using a key file (which you absolutely should, more on that in a minute), run the following command in the terminal:
sudo snap connect keepassxc:removable-media :removable-media
This will allow the installed Snap package to access your file system’s /media/ directory in order to read a key file (a binary file you will physically carry with you) from a USB stick (thanks to GitHub’s droidmonkey for this solution).
Configuration
Master Password
The most important thing about using a password manager is to choose a (really, really) strong master password. If you’re not genuinely impressed with yourself when you type it in, it’s not strong enough. The point of switching to a password manager is to have all of your most sensitive credentials in one impregnable place; your bank account, credit cards, mail, social media — whether it’s your assets or your reputation, the dearest information you have is most probably accessible through the internet, ergo your passwords for this information should be as un-hackable as possible.
In my opinion the best approach in this case, and in many other cases, is to combine: choose four random words that are easy for you to remember, but combine uppercase, lowercase, and special characters as well. E.g. “correct horse battery staple” isn’t much harder to remember than “C0rrEct(hOrse)b@TTery+$7ap13|” once you’ve practiced typing it a couple of times, but the increase in entropy is substantial. It will take you longer to type, but I’d argue the extra minute a day (at most!) is a fair price for securing all of your passwords. Let your muscle memory do the heavy lifting and you’ll be surprised at how easily it comes to you after a few times.
Just to be on the safe side, copy your master password to a physical note and put it in a completely secure place that no one with access to your computer could ever possibly know of.
Key File
Go to Database → Database settings… → Security. Under the Password section at the top you should see a Key File section.
This allows setting or creating a binary file that is used together with or instead of a master password. It is recommended to let the application generate a key file for you, and to copy it to three USB sticks. One you will carry with you, the other two you will keep as backup (in separate locations from the physical backup for your master password!). Having a key file means that even if someone somehow gains access to your password, you have a second form of authentication that prevents them from being able to use it. Again, you pay with convenience, but profit immensely in security. Simply get in the habit of throwing that USB stick in your pocket or backpack when you leave the house to any place where you might need access to your passwords. This should really be limited to perhaps one or two computers you work on. We’ll talk about your mobile phone in a second.
Decryption Time
In the same Database settings… → Security menu, note the second tab titled Encryption Settings. The first field in this tab is labeled Decryption Time and should have a Change button opposite of it. Press the button and validate your decryption time setting is set to at least 1 second. Feel free to give it a couple of extra deciseconds (hundreds of milliseconds) while you’re at it. The difference will be effectively indistinguishable, but the result will be a significant increase in the number of iterations used when encrypting your data, making it much harder to decrypt.
These are the basics. You can also set a default username for new entries (Database → Database settings… → General), which I like to have as my e-mail address, change the time interval for clearing the clipboard after copying passwords (Tools → Settings → Security), decide to show a system tray icon (Tools → Settings → General), and much, much more. Explore and make it your own!
Synchronization
First, you probably want to have your passwords available on your mobile phone. I use Keepass2Android and am very satisfied.
Keepass2Android allows you to set the location of the database file from various cloud services (including Google Drive, Dropbox, OneDrive, ownCloud, NextCloud, and more). However, KeePassXC does not. As stated in the KeePassXC website:
Why is there no cloud synchronization feature built into KeePassXC?
Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your desktop synchronization client do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
Now it really depends on what cloud service you are using. Dropbox provides a Linux client, and so do ownCloud and NextCloud, but Google Drive and OneDrive don’t offer a particularly straightforward solution for Linux users. Also, you may not want or be able to install your cloud provider’s client in all the computers you need to have access to your passwords from.
EDIT: if you’re using GNOME there actually is a simple method to mount both Google Drive and OneDrive, more information here. Thanks to KeePassXC on twitter, for pointing this out.
This could pose a potential problem, but fret not — Rclone has got you covered.
Rclone
According to Rclone’s GitHub project’s README:
Rclone (“rsync for cloud storage”) is a command line program to sync files and directories to and from different cloud storage providers.
If you’ve clicked on either of two previous links and reviewed the incredible list of supported cloud storage providers, you could almost certainly spot whichever cloud service you might be using as well as just about any other one you’ve ever heard of (and a dozen you haven’t). Most importantly, the list includes any one of the services supported by Keepass2Android.
Installation is as simple as running: curl https://rclone.org/install.sh | sudo bash
.
To verify everything went smoothly you can executerclone --version
(or -V
) and see that you get the expected output.
Use the instructions on Rclone’s homepage to set up a connection to your preferred cloud storage provider by following the link next to its name. This process is usually quite effortless and mostly entails running rclone config
, selecting whichever provider you’re using, choosing a name for the created remote location, and accepting some defaults. To validate your configuration, execute: rclone lsd name:
, where name represents the name you chose for the remote (cloud) location. This will list all top-level directories within that location. Generally speaking, remote paths in Rclone are specified as name:remote/path
(which is why name:
points to the root directory).
Automation
Now that you have established a connection with your cloud storage provider, you need a script to automate the task of checking for updates and importing (if the remote version is newer) or exporting (if the local version is newer). I am not much of a bash scriptwriter, but I’ve come up with something relatively simple that seems to work:
All you have to do is download the file (you can also click the “view raw” button and copy directly to a file on your computer) and change the values of the four variables under the “Configuration” title (DRIVE_NAME
, DB_FILE_NAME
, LOCAL_LOCATION
, and REMOTE_LOCATION
) according to your setup. I like to keep such bash scripts under ~/Scripts
(~
in the terminal is an alias to the home directory). Don’t forget to give the file execution permissions:chmod +x ~/Scripts/sync-passwords.sh
Alternatively, you can simply run:
cd; mkdir -p Scripts; wget https://gist.githubusercontent.com/ZviBaratz/a4a51544c3d876543d37abfd0c6ee2a3/raw/1b739673cfe168a7c0797bc04e1ab90269c82281/sync-passwords.sh -P Scripts; chmod +x Scripts/sync-passwords.sh
This will change directory to the user home’s directory, create the ‘Scripts’ directory if it doesn’t exist under it, download the GitHub gist, and change its permissions to make it executable. However, don’t forget you still have to change the variables at the beginning of the script to match the name and location of your database file and the name of the cloud storage provider.
Make sure it’s working by running it:~/Scripts/sync-passwords.sh
Assuming you don’t yet have a remote copy of the database file, you should see something like:
In following runs the output will look like:
Finally, you may want to create a cron job to automate the execution of this script, so that you don’t have to remember running it every time you make a small change. To create a job that runs the synchronization script every 20 minutes, you can run:
(crontab -l; echo "*/20 * * * * $HOME/Scripts/sync-passwords.sh") | crontab -
If you would like to create a different synchronization schedule you can use crontab.guru or learn more about cron scheduling. If you already created this job and would like to edit it you can do so using crontab -e
.
Key File
Don’t forget about the key file! Connect your mobile phone to your desktop with a USB cable and copy the key file to your local storage. Open Keepass2Android and under “select master key type:” choose “Password + Key File”. Browse to select your key file from the phone’s local storage.
Once you’ve unlocked your database successfully, click on the options button (should appear as three vertical dots in the top right corner) → Settings → Database, and select “Import database to internal folder”. Having completed that, delete the original version of the key file on the device so that it is not accessible to any other application.
This should get you up and running with KeePassXC across multiple devices, including a secure key file and automated synchronization through a cloud service of your choice. Don’t forget to generate unique and strong passwords for each site you register to. Now that you don’t have to remember any passwords on your own, you can create 30+ characters long passwords with special symbols and even extended ASCII — go wild!
Hope you found this tutorial useful. Please feel free to ask for help if you run into trouble or to offer suggestions for improvements.