keepassium
Feature suggestion: Output passwords to PC via USB HID dongle (BLE → HID keyboard)
I wanted to ask if you’d consider adding support for external “output devices” such as a USB HID dongle that can receive a password over Bluetooth and type it on the host computer.
The idea is to make it possible to use the vault without manually typing passwords into the target machine, and without having to install any companion software on the host. The dongle acts as a Bluetooth receiver + USB keyboard, so once paired it simply types the password where the cursor is.
I actually built a working prototype for Android (by modifying KeePassDX). It uses an ESP32-S3 USB dongle (~$20) with a tiny display, which handles secure BLE pairing and then types the received password into the connected PC. You can see it here if you’re curious:
-
Android app mod: https://github.com/larrylart/KeePassDX-kb
-
Dongle firmware: https://github.com/larrylart/blue_keyboard
I realize implementing this on iOS may be different (and probably trickier in some areas), but I wanted to share the concept in case you think it might fit Keepassium’s roadmap.
Would this be something you’d be interested in supporting?
Thanks!
Congrats on your release! Great ideas are in the air :) We are working on a similar thing, see ClickStick.io. However, our prototype is going a bit slower, as we are trying to cover all the bases from the start (threat modeling, cryptography, security analysis — it's on the website).
That said, I am genuinely curious how much demand there actually is for this kind of device. Whenever I ask people whether this is a problem they need solving… nobody responds :)
Can you tell me why you decided to create such a device? Is this a regular pain point? Or more of a "wow, nice Lilygo dongle, what can we do with it?" ;)
Ha! Small world! I didn’t know about ClickStick! Interesting. Mine was just a quick hack I put together over the weekend. I didn’t focus much on security beyond basic pairing (limited by a bug in the ESP32 core), but realistically it’s on par with with many commercial Bluetooth keyboards (AES-CCM, MITM protection/passkey), or better as many mid-tier keyboards use Just Works pairing (no MITM). I will be looking to fix that ESP32 core issue and than turn on LESC (require encrypted writes), with that it will be at or above “enterprise-grade” HID security. I could add some extra protocol check, such as verify write back on connect, and verify check sums on write, but I would say, being short range communication risks are small, millions of Bluetooth keyboards out there do not worry as much about it. The main issue I ran into was the keyboard layout:,it has to match the host for special characters to type correctly. I got it working to some degree, but definitely more work is needed there. For now I did the basic UK/IE/US and MAC, but it requires the dongle firmware to be loaded as such, as far as I am aware there is no way to detect what the host has. On a second thought, the app could tell the dongle, via a special defined command to which layout to use.
As for demand/need: for me, as an IT professional working across many devices, it’s very handy to send credentials directly without having to read -> type every time. On top of that, my eyesight isn’t what it used to be, and typing special characters accurately can be frustrating. I've been thinking about something like this for years, honestly was hoping someone else would build it for me :).
That said, I agree it's a niche feature. The main use cases are probably for people who regularly access multiple devices, or desktop/laptop users who don't want to maintain a separate vault on each machine. For those cases though, it feels like a very straightforward and practical solution. And I believe it makes sense for enterprise users, since you are not typing it in is allowing long complex passwords to be set, and it will work with any app/website. And like I said security wise, just the standard pairing with pin code will make it more secure that most wireless keyboards out there.
realistically it’s on par with with many commercial Bluetooth keyboards
It is, but Bluetooth had a long evolution and many users remember its old security issues. Yes, LE SC is a far cry from Bluetooth Classic, but breaking stereotypes is an uphill battle.
For now I did the basic UK/IE/US and MAC, but it requires the dongle firmware to be loaded as such, as far as I am aware there is no way to detect what the host has.
Indeed, there is no way to read host's keyboard layout; it has to be selected by the user. However, it is possible to recognize host OS. At least Logitech keyboards do that, but I have no idea how :)
honestly was hoping someone else would build it for me :)
Well, InputStick has been around since 2014, yet few people know about it.
It's just very hard to promote this kind of device. Most people don't realize they have a password-typing problem in the first place. Those who feel the problem, don't know that it has solutions. Those who actively look for a solution… I wonder how exactly they google for it. One thing is certain: people searching for "BLE USB HID keyboard emulator" are halfway through building their own prototype :)
I just finished updating both the dongle and the Android app 🎉
The dongle now runs on the latest ESP32 Board Library v3.3.1, which allowed me to fully enable BLE security. I also added a micro-command protocol so the app can dynamically set and echo keyboard layouts, and even return an MD5 hash for strings sent — letting the app verify delivery integrity. I’m still debating whether to add tokenization next (maybe next weekend 😅).
It is, but Bluetooth had a long evolution and many users remember its old security issues. Yes, LE SC is a far cry from Bluetooth Classic, but breaking stereotypes is an uphill battle.
True! And there are ways to strengthen the perception of security too — like tokenizing transmitted strings using a shared password between the app and dongle.
Indeed, there is no way to read host's keyboard layout; it has to be selected by the user. However, it is possible to recognize host OS. At least Logitech keyboards do that, but I have no idea how :)
As far as I know, HID devices can’t receive data back from the host. If Logitech managed it, they probably rely on custom host drivers. I’d rather avoid going down that route, you will be better off building a dedicated custom service that doesn’t even require a dongle.
Well, InputStick has been around since 2014, yet few people know about it.
I actually just discovered it ... I hadn’t searched specifically for this kind of device before. I assumed there wasn’t one out there since no password managers seemed to support or advertise such hardware. Looking at their site now, it feels like they missed a SEO opportunity on use cases, especially around password vault integration, which in my opinion is one of the use cases. That’s probably why it never showed up in my searches.
It's just very hard to promote this kind of device. Most people don't realize they have a password-typing problem in the first place. Those who feel the problem, don't know that it has solutions. Those who actively look for a solution… I wonder how exactly they google for it. One thing is certain: people searching for "BLE USB HID keyboard emulator" are halfway through building their own prototype :)
Most people know typing passwords is annoying, but they don’t think in technical terms like “how to send a password to my computer.” It’s definitely not an easy SEO space. But once apps start integrating this feature, it’ll become easier to promote — especially if password managers highlight it as a convenience or security feature within their apps and websites.
In my case, I didn’t start by searching how to do it. I looked for an app that could “send” a password to a PC or desktop. When I couldn’t find anything obvious, I tried searching for a software bridge or service that vaults could interact with — no luck there either. Then I thought: maybe Android could act directly as a keyboard, but that didn’t seem practical across OSes. Finally, I figured: why not just use a small board to act as a BLE-to-HID proxy? I found the LilyGo Dongle, and a weekend later… it worked!
Apologies, I only just took a closer look at ClickStick.io. You're actually using the same hardware (except for the side serial connector), even down to the ready screen! What are the chances? I see you’re implementing a mini-TLS layer on top - nice touch, going for “military-grade encryption.” Are you planning to integrate this with KeePassium? I’m asking because I just ordered another ten dongles, and I know a few people with iPhones who could really make good use of this.
Also, I'm trying to get the KeePassDX (Android) team to merge my integration. I've added a selector at the top of the settings screen to choose the output device, so others could easily add options like InputStick. If I can wrap my head around the ClickStick protocol (I'll probably need a few more details on the protocol once it’s ready), I could try adding it in as well, if you'd like. Here’s the quick/hack UI integration I made for KeePassDX (nevermind the UI/labels etc, for me was just a quick hack to enable something I wanted, KeePassDX team can brush that out if they are happy to go ahead with it):
You're actually using the same hardware (except for the side serial connector), even down to the ready screen! What are the chances?
This is just an older revision. Newer ones have a bit larger cases (which really helps to keep the PCB/LCD sandwich inside) and a Qwiic port. Not really relevant for this use case, but not intrusive either.
Are you planning to integrate this with KeePassium?
I mean, a password management app spinning off a BLE USB dongle for entering passwords… Integrating ClickStick with KeePassium (and other password managers) is the very point. But it will take some time.
Yeah, I noticed on my dongle case that when pressing the back button you puts some pressure on the lcd screen... I really wish there was a sturdy metal case for it.
Also, I’ve been thinking more about the security side, and you’re absolutely right, unlike regular keyboards that are hard-locked to their dongles, here the weak point is the user's device. So, as much as I didn’t want to go down that road, I’ll have to implement a micro-TLS layer on top. I’ll try to put together a simple bare-bones version this weekend if I get the time.
A quick update on the project, in case anyone is interested. I released a new version of the dongle software with some security updates:
-
Added an encrypted binary “micro-TLS” layer. Now all communication (send string, layout change, info requests, etc.) go through an encrypted binary channel.
-
Replaced the old ASCII protocol with a cleaner binary command protocol Everything is now structured, framed, and handled under the encrypted session.
-
New first-run Wi-Fi setup portal to configure BLE name, keyboard layout, and a setup a provisioning password through a tiny web UI. This is just once off, the wifi/web server is disable once setup is done.
@larrylart , I appreciate the update, but let's keep this feature request on topic and publish changelogs in their respective repos. Those interested can surely subscribe for updates at the source.