keepassxc icon indicating copy to clipboard operation
keepassxc copied to clipboard

Published 20 hours ago verified publisher icon keepassxreboot

Hashicorp Vault Integration

Open rtfmoz2 opened this issue 2 years ago • 6 comments

Summary

Use hashicorp vault to store and retrieve secret values for shared databases

New personal database -> user supplied password or vault (choice) Open personal database -> user supplied password or vault New group database -> store password in vault Open cached copy of group database -> retrieve key from vault or remember it for X hours (admin options) New company database -> store password in vault Open cached copy of company database -> retrieve key from vault or remember it for X hours (admin options)

Lookup password,

  1. Search personal database
  2. Search group database
  3. Search company database

The reality is 3 is just another version of 2. They are both shared password storage by way of a vault password. The more interesting part becomes how do you manage an encrypted password file being accessed and updated by multiple parties.....

Context

Most companies are looking for password storage solutions and not necessarily in the cloud. They like to keep them close to home if you get me. So storage an encrypted password file on server would make sense to them. I mean you could go nuts and have a group password manager for servers which handles requests from keepassxc but thats an entirely different ballgame.

The other issue is for enterprise deployment there has to be support for administrative control to enable/disable features and setup vaults automatically at deployment time with user prompting for personal database password on first run.

rtfmoz2 avatar Apr 14 '22 20:04 rtfmoz2

I can't see this ever happening. That is too much of a dependency and liability on us to maintain.

droidmonkey avatar Apr 14 '22 22:04 droidmonkey

What is the format for the dump of hashicorp vault secrets? Maybe we could make sure we can import from/to that format at least?

louib avatar Apr 17 '22 16:04 louib

I've been toying with this idea, too. It is understandable that you don't want the liability to maintain such a feature, though. Would it be possible to implement this as a plugin?

For my use case, the possibility to load a password from the vault via reference (e.g. {REF:P@VAULT:path} similar to the existing possibility to reference other entries) would be enough.

Import/export is not relevant for me, the idea of the vault is to grant auditable and revocable access to passwords, therefore local copies are usually not allowed.

dreua avatar Apr 25 '22 14:04 dreua

To break it down to its purest requirement their really is only two questions,

  1. Can the product deal with more than one user accessing a vault at the same time? Irrespective of the file system layer. If not can this easily be implements as a seperate feature request.

  2. Can we put vault references in as password fields and have it call a plug to supply/store the value, irrespective of the plug-in…potentially include a set of attributes that specify minimum requirements to store the password, Eg encryption > x level, lifetime < x days. If the plug-in cannot meet then it will gracefully handle the rejection.

On Tue, 26 Apr 2022 at 12:38 am, David Auer @.***> wrote:

I've been toying with this idea, too. It is understandable that you don't want the liability to maintain such a feature, though. Would it be possible to implement this as a plugin?

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/7899#issuecomment-1108662939, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJYYSIXR7JC6QNT7G3QG5Z3VG2U55ANCNFSM5TO3ZYQA . You are receiving this because you authored the thread.Message ID: @.***>

rtfmoz2 avatar Apr 26 '22 02:04 rtfmoz2

I do not know about Hashicorp's Vault, but Google Cloud Platform's Secret Manager is just a Json Storage. You put/get a JSON string. It does not care about the internal format. Indeed, I dont know if it even cares it to be a JSON or just a string, we use as a JSON. TL;DR: It may not be that easy for keepassxc to interpret the content of any external database.

dioni21 avatar Jul 28 '22 14:07 dioni21

Just FYI, there is/was https://github.com/keepassxreboot/keepassxc/issues/3073

adesso-os avatar Oct 13 '22 14:10 adesso-os

Sorry for coming late to the party. I've found an open source plugin for vault + keepass integration: https://github.com/Orange-OpenSource/keepass-vault-sync-plugin

According to the description, the plugin handles import and export, and also syncing (in real time?). So there exists a doable solution.

Unfortunately, the status of the plugin is archived now and I am not sure why :(

grapemix avatar Jan 05 '24 22:01 grapemix