Securely synchronize your KeepassX Passwords
Using a key file to protect your password database in the Cloud

Posted on

passwords security dropbox

Forget your Passwords

Passwords that are easy to remember are also easy to crack. Password managing software can help with that by generating and storing strong passwords that you’d never be able to memorise. If you want to login to one of your password protected services, just fire up your password manager, lookup your service, copy the password and paste it into the login form.

KeepassX is one such password manager and it’s free and open source software. 1Password is another popular one that offers a richer feature set, but it isn’t fully cross-platform (only Windows, Mac, iOS and Android supported) and it’s proprietary software. I will concentrate on KeepassX.

Don’t trust the Cloud

Quite likely you have more than one machine that you use frequently and you’ll want the password database to be synced automatically between different computers without manually copy/pasting the passwords over. One of the many cloud storage provides seem like the best idea to achieve that. However, if you upload all your passwords somewhere – even when protected with a master password – you’ll want to make sure that someone getting a hold of your password file is unable to decrypt the content (or at least has a very hard time doing so).

This is true for every online storage system out there: be it your own OwnCloud installation at home (which may be hacked), a rented/co-located server or VPS (to which the server housing company has physical access to) or a company like Dropbox that may be forced by government officials to provide access to your data.

KeepassX allows the use of a keyfile, a complementary file that you need together with your master password to unlock your password storage. Don’t upload this keyfile to a cloud storage – copy it manually to your other computer(s). Don’t worry, you only have to do it once. The following paragraphs will guide you through the process of setting up a »secure enough« password sync.

Password-Sync with Dropbox

Start up KeepassX and choose File / New Database… from the menu bar (or click the leftmost icon). A dialogue pops up, asking for a master password (this will be used to encrypt your password database):

New KeepassX Database

Check the Key File option and click Generate Key File…. You will be prompted for a file location and a file name. You can give it any name you like and you can save it anywhere (you only have to remember where) but do make sure not to choose your Dropbox folder. I saved the file as ~/Documents/KeepassX.keyfile. Now choose a good password and click OK.

Generate Keyfile

You are now ready to add your passwords: Select Entries / Add New Entry… from the menu or choose the fourth icon from the left. KeepassX allows you to group account data but other than pure convenience, it doesn’t really matter where you create an entry. Enter your data and click OK. You’ll end up with something like this:

First Entry

Now it is time to let your newly created password store be synced: save the database (File / Save Database…) and this time do choose your Dropbox folder as the file location. You can name the file anything you want, just make sure it ends on .kbd.

Opening your Password Storage on another Computer

Make sure you have copied the generated keyfile via an USB stick or some other secure means before you continue. The *.kdb file is already on your other computer thanks to Dropbox’ sync. Doubleclick the KeepassX file in your file browser – it should open KeepassX with a prompt for the password. Enter it, but also check the Key File option below and browse your folders to find the manually copied keyfile. Click OK and you’re done.

Note: KeepassX creates a lock file when it opens a .kdb file as a protection against accidentilly overwriting your own files. When the lock file exists and you attempt to open the .kdb file anyway, KeepassX will warn you, asking you to open the file in read-only mode (recommended) or open it anyway (dangerous). A stale lock file is probably because you have suspended a computer which had the corresponding .kdb file open (e.g. a laptop in sleep mode). Closing the KeepassX instance will remove the lock file.

comments powered by Disqus