keepassxc
keepassxc copied to clipboard
keepassxreboot
Remote database support [$276]
It would be great to have support for WebDav, SFTP, or other protocols to load and save a database. I have a webdav folder on xubuntu, but it doesn't show up on the Open File window.
IssueHunt Summary
Backers (Total: $276.00)
-
kfdcompiled ($20.00)
-
ppmathis ($68.00)
-
haizaar ($20.00)
-
altendky ($50.00)
-
mikescher ($6.00)
-
zeezeeeff ($20.00)
- $92.00 have been anonymously funded.
Become a backer now!
Or submit a pull request to get the deposits!
Tips
- Checkout the Issuehunt explorer to discover more funded issues.
- Need some help from other developers? Add your repositories on IssueHunt to raise funds.
Exctly what i am missing: something like the IOProtocolExt from keepass, this enables simple access to a securely stored keepass database.
I fully support the idea... just installed KepassXC for one reason only - to use it as an interface for my shared database on NAS, but unfortunately it's not supported yet.
It is not likely this will be supported in the near future. Every modern OS can mount a WebDAV folder to be made accessible to KeePassXC. Likewise, SMB and NFS folders can be mounted as well. There is really no practical reason to spend significant effort embedding this capability in KeePassXC itself.
@leethax666 I missed this original issue. It is likely you are using the snap version of KeePassXC which is sandboxed and does not let you see some folders. Try mounting your WebDav within your home directory and try again.
Yes every computer can mount webdav, but this requires that there is a permanent internet connection. People also want to use their database when there is no internet available. This is no problem when you use dropbox or nextcloud since they have sync clients which download your files, make them available offline and then taking care of changes.
However I couldnt find any good webdav client for linux. So what I do is the following:
- Mount webdav storage on boot
- use a cron task to save the database every 15 minutes to my home folder
The problem is that when you have no internet, keepassxc opens with an error (database not found or something like that) and I have to manually select my backup database. However, I have to remember to change again to the webdav database when I have Internet otherwise my changes would be overwritten by the cron task.
Thats why it would be convenient if I could just connect to webdav in keepassxc and keepassxc takes care of downloading my database (or use a cached one if there is no internet) and notifying me if there are any conflicts (database changed remotely) when i want to save my database.
I agree that it is a bit out of scope for a password manager to take care of syncing issues with webdav. But it would make using a password manager easier for a lot of people who simply put their database on the cloud storage from their mail provider.
Why not just use a cloud service provider, even syncthing or owncloud? You own all the technical challenges when you use webdav.
The problem with syncthing is that all my devices are located in my apartment if I am at home. If my apartment burns down, my database is lost. So the proper way to deal with this is rent a vps-server and set up a nextcloud. However it takes some effort and maintenance work to keep everything running and secure (and money :wink: ). I already manage all other things (cardDav, calDav) with my email provider (They use open-Xchange which is really cool, but sadly they dont offer a sync client), so it is just easier and cheaper for me to also let them handle my database.
I guess that is true for many people and thats why it is an often requested feature. So please dont close it with a "wont fix", so someday somebody can come up with a merge request.
Oh it'll remain open, I'm not entirely against this feature. I think it is best paired with plugin/scripting/trigger support though.
I'd like to point out another reason for having some form of remote access: Limiting the surface area for brainfart fuckups: Accidently overwriting or deleting a password DB file and the latest backup snapshot didn't yet catch the latest changes.
The other reason might be managing read/write permissions, e.g. for shared access. (Why would you want to share access to a password file you ask: Think organization wide logins to supplier web order systems or similar, where the vendor is incapable of providing sub-accounts for individual persons).
I sympathise with @marcbone, and also found WebDAV very fragile and dependent on connectivity. I experienced some data loss when using mounted WebDAV, which makes me understandably reluctant to entrust it with my password database.
At one point, I mounted my Nextcloud WebDAV share on my Linux box, then moved (admittedly a fairly large, 2GB) file to the share directory. The file disappeared from the source directory and never appeared at the destination, even though I have a fast connection. I no longer trust WebDAV to not lose my data, unless the application supports WebDAV access/mounting natively.
I've evaluated KeepassXC before, and the main reason I didn't switch from Keepass2 was lack of native WebDAV support. I would switch in a heartbeat if this was implemented. IIRC KeepassXC has much better and usable Firefox integration, and it would be worth switching for that reason alone.
Using WebDAV through an application does nothing to resolve reliability issues with the WebDAV protocol itself. If you are concerned with reliability, versioning, and other modern concerns.... don't use WebDAV!
It's easier to know when you failed a password DB upload with native DAV support, and you are able to retry the upload explicitly until you confirm you succeeded for sure. A mounted davfs will simulate a POSIX filesystem, which has different assumptions about the underlying layers of the system, and will tell you everything's fine when it's not.
You get no feedback about failures, delays, timeouts, hanged uploads, writes which are only present in the local /tmp cache and which haven't reached the cloud yet (and which may be lost if you happen to shut down the computer right now), and the like. You're basically relying on the davfs layer to recover from the errors and behave well, which is just not guaranteed.
Another benefit of supporting WebDAV is that it's quite ubiquitous, and it's easier to set up a DAV server compared to alternatives. It comes with NextCloud/OwnCloud which is one of the most popular self-hosted "cloud in a box" software packages.
NFS and SMB only work reliably on their respective native platforms, and they are both insecure to expose on the public Internet. FTP is quite mature, but less secure and it's actually older than both Unix and TCP/IP. S3 compatible servers like Minio and some others seem like the future, but you can't just put them on a cheap shared PHP host, and they need a special client.
Please don't get see what I'm saying as ranting. I've have searched a lot around the Internet to find a good way to expose my files over the Internet with read-write capability, and DAV and FTP are the only two that will work everywhere. It's frustrating, but that seems to be the current state of support.
It should not be too difficult to implement HTTP(S) GET/PUT with basic authentication. For saving the operations would be:
- GET
- Decrypt with the current database key
- Check for remote changes (diff from loaded)
- If changed: Confirm -> Merge
- PUT
When configuring a connection, cloud provider api configurations can be included (endpoint, auth type, request type) so with small modifications i.e. Amazon S3 can be used as well, without any plugins. Rest of the logic will be identical. Please consider adding this feature as for me as well lack of this feature is stopping me from using KeePassXC.
Keepass2Android has stfp support......
Great cos it works with my ssh keys.
Would be perfect to do likewise on the desktop.
I've just moved from dropbox and g-drive with sync, to direct webdav on a private cloud server (nextcloud). The clients on Android and Windows support DAV directly, and clearly can tell if the WEBDAV save has completed successfully or not.
I did this because I've had data-destroying problems with synchronizing software (mostly insync) , so direct DAV seemed the best solution for this. And is the reason why I don't really want to use a sync solution on Linux, nor do I feel happy trusting davfs really.
Anywyay, wanted to lend some weight to exactly why I think that native webdav support would be a good thing.
Just leaving another thought here on what would be an advantage of an integrated sync solution like WebDAV: security of the credentials. When KeePassXC manages the connection, I can unlock my local database, it sees the configured WebDAV, connects to it, pulls the database from there, merges, uploads and I can continue to work on the synchronized database. If another tool is required, I would have to permanently store my credentials there for a convenient workflow - so now either the OS or some other layer has Username/Password of my WebDAV share.
So for that reason alone I think the transport layer for the synchronization should reside within KeePassXC as well.
(Btw. I would also not mind having some dedicated sync protocol. That would make some aspects easier, but is all in all probably a lot more effort than "just" using WebDAV which has a ton of different possible backends.)
Just having a file on a locally mounted webdav connection doesn't address synchronization of data inside the database. In KeePass2 I just hit save and it syncs and merges etc up to the server. If I have to manually keep two files and 'merge from file' and so on... that's a lot of overhead vs. ctrl+s.
I understand it's a pile of added complexity so no judgement on it not being implemented presently but I think it does bring important value.
Yup. Local mounting via webdav/nfs/smb for users is just a no no when the database needs to be hosted centrally/cloud so they can easily access via mobile too. Needs to be a simple one click connect to database across desktop & mobile app. Sftp/Scp is simple to setup and use and works easily on mobile. It could be that easy on desktop. Anything more complicated for normal users is just a roadblock. Damn shame as this prevents us from using it. My guess is this will go the way of email+PGP. Just too damn difficult, driven round, and distrupted by chat.
The bounty will be satisfied if minimally WebDAV, NFS, and SMB are supported natively within KeePassXC. SSH/SFTP is a bonus, but certainly not a requirement since it requires a significant amount of additional dependencies.
Is that including a content-of-file synchronization feature to handle when data has been changed from two clients at once? Or, just that a file can be opened from the listed sources? For me, the content-of-file synchronization is a significantly interesting part to have.
Synchronization is another feature request. I am looking at working on that in the near future.
Remote database via an external sync application is complex to setup on the client side: I can setup all the stuff for my devices without problems, but it's very difficult to explain to a remote user (your customer, your friend, your brother) how to setup all this stuff on its PC and android phone.
And if possible, sync to gmail account should be the 1st choice, due to the fact that most users on earth have a gmail account. What I would like to see for KeePassXC is a local copy of DB (accessible when internet is not available) copied to google drive periodically when modified. All done with a very simple setup procedure for an end user.
Synchronization is indeed a key feature (ability of resolve conflicts per entry, that's the main difference to me vs. the approach of having an external client do the sync job and what blocks my migration to keepassxc). But before having sync we need this one to be implemented, so upvoting it =)!
I'll be happy to contribute another $20 to the bounty for this feature and another $30 for synchronization feature. @droidmonkey do you want to setup https://issuehunt.io/ account to manage it? I'm sure that even small amount of users donate a bit it will put some smile on developers face.
