MacPass
Multi Device Cloud Sync and Version Conflicts / Attempt to write OfflineFirst Plugin
Multi Device Cloud Sync: No Data Loss, but user inconvenience to manually handle conflicts
When using cloud sync services such as Nextcloud, if two computers make changes to the same file while offline or out of sync, the (cloud) service typically does not delete either version. Instead, it detects the conflict and creates a duplicate file (often labeled as a “conflicted copy”) so that both versions are preserved. Remark: If the cloud service cannot handle and overwrites, then data loss could happen in such situations.
What this means in practice:
-
No data is lost: Both your changes and the remote changes are saved.
-
But: You now have two versions of the file and must manually review and merge the differences.
-
User inconvenience: This can be confusing, time-consuming, and error-prone, especially with complex files like password databases.
Example: If you update your password database on Laptop A while offline, and someone else updates it on Desktop B, Nextcloud will create a “conflicted copy” when both devices sync. You must then manually compare and merge the two versions to ensure all changes are kept.
Offline-first, record-based sync (like KeePass using sync triggers):
-
Automatically merges changes at the record level.
-
Prevents both data loss and the need for manual conflict resolution.
-
Provides a smoother, more reliable multi-device experience.
Summary: With standard cloud sync, you won’t lose data, but you may face confusing “conflicted copies” and have to manually resolve differences. Offline-first, alway keeping a local copy of the database on the device together with record-based sync solutions eliminate this inconvenience by merging changes automatically. For MacPass a feature request adressing this topic has been issued #1316.
Attempt to write OfflineFirst Plugin
As MacPass is using KeePass sync/merge and offers a plugin concept I thought it might be possible to write a plugin to add offline first functionality.
The basic concepts was objective to implement
On open :
-
check if 2nd database file stored e.g. on a secure location (I use a dedicated share on a NAS for this) is accesible.
-
If accessible
-
sync/merge the openend KDBX with a 2nd database file stored e.g. on a secure location (I use a dedicated share on a NAS for this).
On close:
-
if database was modified
-
check if 2nd database file is accessible.
-
sync/merge the openend KDBX with the 2nd database file
KeePass sync strategy from KeePassKit: KPKSynchronizationModeSynchronize
Two main issues found with this approach:
- To access a database file KPKFile (KeePassKit) is needed. KPKFile is unfortunately not exposed by MacPass, only KPKTree is exposed. Possible workaround within the plugin framework could be using a Python script and hand over the KPKTree to the plugin, which is no more than a technical possibility.
- To make the full path name to open the 2nd database editable a MPDocument could be used, which seems like in context of a MacPassKit not being available as a framework to use as reference.
Other solutions (not ordered by preference):
- MacPass extension #1316.
- KeePass as Native Cross-Platform Application seen as best trade-off for the future due to the complexity and to secure highest quality.
- Wine on Arm as KeePass has started to offer ARM64 binaries, which mid term could be used without the need of Rosetta 2, esp. when some wrapper programs such as Winery, Whisky or similar support this.
- Native implementation of a KeePass Clone covering essential KeePass functionality esp. triggers, bi-directional sync/merge or plugins to achieve same.
Remark: I also investigated Bitwarden/Vaultwarden but stopped using it because setup is more complex and still it has limited offline read only functionality. A show stopper when needed to alter databases offline.
