I have wanted to become more secure with how I have handled my password management for a while now. Before now, I had been using Firefox Lockwise, which is an amazing free service, by a similarly amazing company dedicated to OSS... That being said, I wanted a solution that I owned, where my passwords are only ever stored on my devices.
When it comes to password security and open source. KeePass tends to be the name you hear, and so I decided on that. Using KeePass means that I own the db. It also means that I had to find a way of syncing that db between devices...
My requirements:
- Wholly self owned solution to sync my KeePass db file between multiple machines
- Sync/Recieve from anywhere
- Little to no maintenance
- Secure
Research/Thought Process:
- A quick online search recommends using a service like Dropbox, or Google Drive.
- I dismissed this, because it was a centralized service out of my control. If I was ok with that I might as well have stayed with Firefox Lockwise.
- I thought about a cron based rsync solution...
- I dismissed this pretty quickly as there were too many logistical dependencies, and I couldn't find a way to make it work with a locked Android device.
- I considered setting up my own NextCloud (or similar) service...
- I dismissed this because it was too much work from a security/maintenance standpoint, and would cost money to deploy
- Decided on Syncthing!
Syncthing
I found Syncthing while searching for Nextcloud/alternatives and initially dismissed it, but came back to it after dissatisfaction with NextCloud/alternatives.
Syncthing in a nutshell
- Encrypts all traffic by default
- Monitors folders registered to Syncthing
- Notifies relay when changes occur
- Registers remote devices by device-id
- Assigns devices to folders
- Detects changes via relay
- Connects directly to devices via a relay
- Uploads or downloads directly to remote devices
Installation on Fedora
sudo dnf install syncthing
Start the Fedora Instance
systemctl --user enable syncthing
systemctl --user start syncthing
Installation Android
- Install via the Google Play Store, link available here.
Get your Device IDs
Android
- Open the app
- Click on the
≡
and clickShow Device ID
record the ID
Fedora
- Open
localhost:8384
in your browser - Click
Actions
, thenShow ID
, record the ID
Configure Devices
Android
- From the main screen click on the
Devices
tab, then on the+
in the top right - Input the Fedora system's
Device ID
and add aName
, tap✔
to save
Fedora
- Click the
Add Remote Device
button under theRemote Devices
heading. - Input the Android
Device ID
and add aName
, then clickSave
Adding Shared Folders
Android
- From the main screen click on the
Folders
tab, then on the+
in the top right - Fill in the 🏷️
Folder Label
, 🔑Folder ID
, and 📁Directory
. Remember your 🔑Folder ID
. - Tap to enable the slider for your Fedora device name.
- Tap
✔
to save
Fedora
- Under the
Folders
section, selectAdd Folder
- Fill in
Folder Label
,Folder ID
, andFolder Path
, whereFolder ID
is the same as the 🔑Folder ID
on Android. - Click the
Sharing
tab, and add a✔
to your Android device name. - Click
Save
Once both devices configurations have been saved, I placed my kdb file in the Folder Path
on my Fedora installation, and watched it synced to the opposite device within short order.
Notable Issues
- The
.stfolder
directory on my phone tends to be be deleted on restart causing an error. Creating an empty.stfolder
in your sync directory seems to fix this. - Modifying the same file from two different devices at the same time will result in conflicts. Conflicts result in a loss of the oldest of the two changes. ( the conflicting version still exists but is not automatically merged )
Conclusion
By switching to Keepass, and Syncthing I am able to securely sync my password database between my devices without ever storing it on a third-party server. If I could just figure out the issue with the .stfolder
on android mysteriously disappearing I would be completely satisfied.
Please feel free to leave any questions or concerns in the comments!
Top comments (2)
I've been using KeePass with GDrive sync and Ybikey for a while, so this proposed setup is a nice option. I would also clarify the root cause of the simultaneous editing issue. The KeePass file is handled in the local application and encrypted by itself, which means that external sync process has no way to know how to merge two versions.
Multi-user KeePass uses file system locking mechanism, only the first user would be able to edit the file, while all other users would be able to open the database in read-only mode. There is a mechanism of triggers built into KeePass, would be nice to make use of them in order to resolve conflicts and merge databases automatically, I have no idea how, but maybe someone can share good ideas.
The advantage of the sync method is that the user can have all the passwords locally and offline. For example I use a lot of encrypted files with unique passwords and being unable to access them while not connected to some kind of online (even self-hosted) password manager would be a big downside.
Thanks for your comment!
True, I suppose the encryption would hinder the merge process, although that gave me an idea! You mentioned the KeePass Triggers/API, I wonder if those could be used in order to produce a custom merge plugin for Syncthing (if such a thing exists) that could diff the KeePass DB file after unlocking it via some kind of initialized authentication.
For example, when you login to your account on your OS (start Syncthing on android) systemctl startup command brings up an authentication window to input your KeePass DB password. Upon entering the password it will have the ability to merge changes when a new version comes from Syncthing.
I have some searching to do!