Saturday, December 29, 2018

Private KeePass Synchronization Between Desktop and Mobile

Password Management
Password management systems are recommended today to solve the problem of having too many passwords to remember, avoid using easily guessable passwords, yet avoid writing them all down. Portability and privacy are also problems when writing passwords on paper; what happens if you need to recover a password while traveling?

One solution is to use a password manager on the desktop/laptop and keep it synchronized with your mobile phone. This allows you to generate and manage complex passwords that don't need to be memorized or written, but you can still have access to them on your phone.

KeePass is the password management system recommended by privacytools.io. It is open source, and the community creates plug-ins to add functionality. The main KeePass application is for desktop/laptop use only, without an official mobile application, but there are some options for mobile. KeePass2Android is a highly rated companion to the desktop version, available in the Play store.

It is easiest to do almost all the creation and management of passwords in the desktop application, leaving the phone merely as a device to use while on the move. KeePass does have some built-in synchronization functionality, but it mainly deals with merging two password databases that are presumed to be updated independently. We want to simplify things, we will instead make one master database on the desktop that we transfer to the phone relatively easily. The hardest thing will be the initial setup, especially if you do not already have a home server.

KeePass keeps a single, encrypted file with the passwords on your system, along with a master password to open the database. There is an option to use a separate digital key file, in which the app must have both the database file (with master password) and the key file on the system in order to grant access. This is useful when a user wants to store the password database in cloud storage, which is supposedly safe, or in an even less secure place, or even to email the encrypted database. If the password database is somehow intercepted, an attacker could try to guess the master password using an automation tool like Hashcat until gaining access. The requirement to also possess the key file makes this kind of attack more difficult. Once the key file is installed on the system or phone, the only file that needs to be updated is the password database.

Synchronization Scheme at https://keepass.info/help/kb/trigger_examples.html#dbsync
A More Private Cloud
There is good reason for users to be paranoid about storing their password databases in their personal cloud like Dropbox, so perhaps "Any Cloud Storage Service" depicted above could actually be our own home server, presuming that it is actually secure. Note that the diagram above also assumes that we will do two-way synchronization, which is not the case in our one-way, master-slave arrangement.

Instead, we will save the password database either directly to a Linux server running Samba or transfer it there by SFTP on our own home network. Then we will retrieve the updated file from the server onto our phone and overwrite the old database.

Master-Slave Arrangement

The main computer is either a Windows or Mac with KeePass installed.

For the server, we could use a regular Linux machine, but if you already have a Raspberry Pi, you can set up a small file share on your home network. Look for articles about how to set this up on the Pi, like here. Setting up Samba on a full-sized Linux machine should be a little easier. You will need to know your IP address and have SFTP enabled in order to access it from the phone. Since IP addresses can change upon router reboot, it is also wise to configure the router so that the server always be assigned the same IP address.

We will assume the use of an Android phone. To get started, install Keypass2Android from the Play store. In order to retrieve the database file from the server to the phone, you will also need an FTP app, such as AndFTP.

Transfer Time
With everything installed, we are finally ready to go.

In KeePass on your computer, create a new database. Either save it directly to your shared drive or copy it there after you save and close KeyPass. If you choose to copy it, this task can be automated through Windows 10 scheduled tasks.



Connect your phone to your home WiFi, open AndFTP, connect to the server using its IP address, and browse to where the password database file was saved. It should have a kdbx extension. Download it to your phone.


Open Keepass2Android on your phone, then "Open file."


 Select "System file picker," then browse on your phone to where you downloaded the file.


The database file is selected, so enter your password and open the database. You should see your first entry. The next time you use Keepass2Android, it will remember your database file and key file, if applicable, so you only have to enter your password. Follow the Keepass2Android tutorials on how to use the special keyboard provided by the app that avoids allowing other apps snoop on your clipboard.

Later, when you add or update passwords in your master database, you can just use AndFTP to download and overwrite the file on your phone so you always stay in sync. 

This is one way to make use of a password manager and keep it synchronized between your main computer and your phone, all without backing up your password file to an external location.