I use Bitwarden for my passwords. I've been considering moving to KeepassXC becuse I could use a key file and really lock down the database. But I've noticed that KeepassXC has had only one audit. It was a free one by a security consultant and just covered basic functionality. For example, browser integration and the browser extension were not covered.
What do you mean with "use a key file and really lock down the database"?
I use Vaultwarden (which is an API-compatible Bitwarden server replacement, nice for self-hosting) and the "key file" is a sqlite database (so it is one single "key file"). It is "locked down" in the sense that even if a random user/attacker were to be able to download the file/db the contents would be meaningless anyway (that's the whole point of encryption :).
So I'd be interested in your ideas for (additional?) locking down of the database.
I use KeepassXC daily, but I do NOT use the browser integration. There is a copy/paste feature that is easy to use. I don't trust any browser, so no integrations for me.
reinob wrote: 2025-01-23 07:47
What do you mean with "use a key file and really lock down the database"?
I use Vaultwarden (which is an API-compatible Bitwarden server replacement, nice for self-hosting) and the "key file" is a sqlite database (so it is one single "key file"). It is "locked down" in the sense that even if a random user/attacker were to be able to download the file/db the contents would be meaningless anyway (that's the whole point of encryption .
So I'd be interested in your ideas for (additional?) locking down of the database.
On KeepassXC the database is protected by and encrypted with a password. In addition you can optionally use a key file. So a kind of second factor authentication which I believe is also used to encrypt the database. So you would need both the password and key file to decrypt it. You could actually use any file you like as a key file but KeepassXC will generate one for you. I tried to open one to look at it but it wouldn't open. I think someone said that it's just a sequence of random characters. Through reading a number of threads I'm under the impression that it would be very difficult to crack a database protected in this manner.
bassplayer69 wrote: 2025-01-23 07:57
I use KeepassXC daily, but I do NOT use the browser integration. There is a copy/paste feature that is easy to use. I don't trust any browser, so no integrations for me.
Yeah but then you have to worry about domain spoofing and phishing. A browser extension would protect against this. And copy/paste has it's own problems with clipboard sniffers. Not clear to me which is the bigger threat but I've been thinking that maybe the browser extension is the lesser one.
reinob wrote: 2025-01-23 07:47
What do you mean with "use a key file and really lock down the database"?
I use Vaultwarden (which is an API-compatible Bitwarden server replacement, nice for self-hosting) and the "key file" is a sqlite database (so it is one single "key file"). It is "locked down" in the sense that even if a random user/attacker were to be able to download the file/db the contents would be meaningless anyway (that's the whole point of encryption :).
So I'd be interested in your ideas for (additional?) locking down of the database.
On KeepassXC the database is protected by and encrypted with a password. In addition you can optionally use a key file. So a kind of second factor authentication which I believe is also used to encrypt the database. So you would need both the password and key file to decrypt it. You could actually use any file you like as a key file but KeepassXC will generate one for you. I tried to open one to look at it but it wouldn't open. I think someone said that it's just a sequence of random characters. Through reading a number of threads I'm under the impression that it would be very difficult to crack a database protected in this manner.
ah OK. Thanks. Then it's like the key files you can use with LUKS to decrypt a partition.
I think that this is quite inconvenient if you need to use KeypassXC on your phone, for example (and you would have to be very careful where that file ends up being copied/synchronized/backed-up to).
reinob wrote: 2025-01-23 17:38
ah OK. Thanks. Then it's like the key files you can use with LUKS to decrypt a partition.
I think that this is quite inconvenient if you need to use KeypassXC on your phone, for example (and you would have to be very careful where that file ends up being copied/synchronized/backed-up to).
But yes, whatever works for you
Yeah, I was just concerned about backing up the database in the cloud so I wouldn't store the key file alongside the database in the cloud. But I'm not concerned about my devices (as far as a 2FA concern) so I would just keep the key file along with the database on my devices. In particular that would make phone usage very convenient.
Last edited by Shamak on 2025-01-23 19:28, edited 1 time in total.
bassplayer69 wrote: 2025-01-23 07:57
I use KeepassXC daily, but I do NOT use the browser integration. There is a copy/paste feature that is easy to use. I don't trust any browser, so no integrations for me.
Debian may agree with you. In Trixie they've created keepassxc-full and keepassxc-minimal packages. Minimal is supposed to be the more secure option built without network capabilities and browser integration. I think that's supposed to be the default installation rather than full.
bassplayer69 wrote: 2025-01-23 07:57
I use KeepassXC daily, but I do NOT use the browser integration. There is a copy/paste feature that is easy to use. I don't trust any browser, so no integrations for me.
Debian may agree with you. In Trixie they've created keepassxc-full and keepassxc-minimal packages. Minimal is supposed to be the more secure option built without network capabilities and browser integration. I think that's supposed to be the default installation rather than full.
Incidentally, here's the Debian KeepassXC maintainer, Julian Klode's opinion of the extra features in KeepassXC.
.
