Skip to content

KeePass - Password Safe

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. So you only have to remember one single master key to unlock the whole database. It can be shared, used on multiple devices while being secure.

It was first build on Windows and now supports also macOS and Linux operating systems through the use of Mono.

  • KeePass 2.x id the original Windows application.
  • KeePass/L a Linux fork not needing the Mono framework.
  • KeePassX (continue of KeePass/L) is a multi platform version using QT.
  • KeePassXC (community fork of KeePassX) is now the active alternative version to the original.

While KeePassXC runs natively on all operating systems that's what should be used on Linux.

All in all KeePass is a good selection to store your passwords in a encrypted file which can also be stored on the network. It is also integrated to the browser for easy password access. IOS and Android apps to use the same database are also available.

Installation of KeePassXC

You will find this as package and can directly install it in your packages.

$ sudo pacman -S keepassxc
$ sudo apt-get install keepassxc

See the following description for the setup and configuration.

FTP Access

As KeePassXC has no support for any protocol (only local file) you need to make the sync on your own. In Linux that should be no Problem as you can mount anything to the local filesystem. The easiest and often possible way to share your database is to use an FTP server. KeePass2 and the Android app can use it directly, while in KeePassXC under Linux you have to mount the remote FTP site first.

$ sudo pacman -S curlftpfs
$ sudo apt update
$ sudo apt-get install curlftpfs

Now to mount a ftp share automatically use through fstab ro the following:

  1. Create the local directory

    This is the directory there you later access the remote path.

    $ sudo mkdir /mnt/ftp-<share>
    
  2. Create credentials file

    For security reasons don't add the credentials within readable file, so better make a special credentials file under /root/.netrc with the following content:

    machine <ftp-host> login <ftp-user> password <ftp-password>
    

    You may also add multiple lines if needed. Now make sure the file has the correct rights:

    $ sudo chmod 600 /root/.netrc
    
  3. Add entry to /etc/fstab

    Check uid and gid of your non-root user which will use the share:

    $ id
    uid=1000(alex) gid=1000(alex) Gruppen=1000(alex),3(sys),90(network),98(power),991(lp),998(wheel)
    

    Now add the following line to /etc/fstab but use also use your uid and gid from above:

    curlftpfs#<ftp-host> /mnt/ftp-<share> fuse allow_other,uid=1000,gid=1000,umask=0022,noauto,x-systemd.automount 0 0
    

    The noauto tells it not to mount the drive at boot (to not block boot sequence if network not available). And the x-systemd.automount tells it to mount the drive on first access instead. By then your wireless will be up and you won't get the mount failure.

  4. Mount the directory:

    $ mount /mnt/ftp-<share>
    $ ls /mnt/ftp-<share>
    

Using KeepassXC

Beside the normal password management you may use the following features. Find out more in the getting started guide or the user guide.

Basic Use

The layout is very easy and intuitive:

KeePassXC

  • Groups on the left to organize your entries within a deep structure to access it hierarchically. Search and autotype defaults are used from the parent entry.
  • Entries contain all the information for each website or application you are storing in KeePass. This view shows all the entries in the selected group. In the context menu are multiple actions possible.
  • Preview panel on the bottom shows the selected group or entry.

Shortcuts

  • Ctrl+O - Open Database
  • Ctrl+S - Save Database
  • Ctrl+Shift+S - Save Database As
  • Ctrl+Shift+N - New Database
  • Ctrl+W or Ctrl+F4 - Close Database
  • Ctrl+L - Lock All Databases
  • Ctrl+Q - Quit
  • Ctrl+N - New Entry
  • Enter or Ctrl+E - Edit Entry
  • Del - Delete Entry
  • Ctrl+K - Clone Entry
  • Ctrl+B - Copy Username
  • Ctrl+C - Copy Password
  • Ctrl+U - Copy URL
  • Ctrl+Shift+U - Open URL
  • Ctrl+T - Copy TOTP
  • Ctrl+Shift+T - Show TOTP
  • Ctrl+Alt+S - Trigger AutoType (I changed this in config, default is Ctrl+Shift+V)
  • Ctrl+H - Add key to SSH Agent
  • Ctrl+Shift+H - Remove key from SSH Agent
  • Ctrl+M - Minimize Window
  • Ctrl+Shift+M - Hide Window
  • Ctrl+Tab or Ctrl+Page Down - Select Next Database Tab
  • Ctrl+Shift+Tab or Ctrl+Page Up - Select Previous Database Tab
  • Ctrl + <num>- Select the numbered database
  • Ctrl+Shift+C - Toggle Passwords Hidden
  • Ctrl+Shift+B - Toggle Usernames Hidden
  • F1 - Focus Groups (edit if focused)
  • F2 - Focus Entries (edit if focused)
  • F3 or Ctrl+F - Focus Search
  • Esc - Clear Search
  • Ctrl+/ - Show Keyboard Shortcuts

Searching

You can search for specific values using [<modifier>][<field>:]<term> .... If the term contains spaces it has to be put in double quotes.

Modifier to be put before a term:

  • - - Exclude this term from results
  • ! - Exclude this term from results
  • + - Match this term exactly (+user:alex)
  • * - Term is handled as a regular expression term

The following fields can be searched along with their abbreviated name in parenthesis:

  • Title (t)
  • Username (u)
  • Password (p, pw)
  • URL
  • Notes (n)
  • Attribute (attr)
  • Attachment (attach)
  • Group (g)

Wildcard characters within term:

  • * - Match anything
  • ? - Match one character
  • | - Logical OR (title:one|two)

Browser integration

Open the settings dialog. There you can enable Browser integration and also call the plugins for each Browser.

  1. Install the browser plugin.
  2. In Tools > Settings > Browser Integration activate: "Enable browser integration"
  3. Select the browsers for which you have installed the KeePassXC-Browser extension and click OK.
  4. Open your Browser.
  5. Click the KeePassXC-Browser extension icon > Connect and give it a name.

You can dive deeper into configuration and change a lot of things: Click the KeePassXC-Browser extension icon > Settings Maybe you want to:

  • set shortcuts
  • directly enter single matches for login
  • automatic HTTP Basic Auth
  • select group for new entries
  • auto reconnect to KeePassXC

I use the following shortcuts:

  • Alt+Shift+S - insert username and password
  • Alt+Shift+C - only insert password
  • Alt+Shift+O - TOTP insert
  • Alt+Shift+G - show password generator

For better support you can set additional URLs for each database entry in the Browser Integration tab.

Auto Type

That is a complete separate feature from the browser integration it works universally inserting data in the current active application. The application's title is used to match the entry here. You can define for which title pattern (use * as wildcard) to work and can give individual sequences. The sequence is a text with concatenated action elements and text (default is {USERNAME}{TAB}{PASSWORD}{ENTER}).

  • {TAB}, {ENTER}, {SPACE}, {INSERT}, {DELETE}, {HOME}, {END}, {PGUP}, {PGDN}, {BACKSPACE}, {CAPSLOCK}, {ESC} - Press the corresponding keyboard key
  • {UP}, {DOWN}, {LEFT}, {RIGHT} - Press the corresponding arrow key
  • {F1}, {F2}, …​, {F16} - Press F1, F2, ... function keys
  • {LEFTBRACE}, {RIGHTBRACE} - Press { or }, respectively
  • {DELAY=<ms>} - Set key press delay to ms milliseconds
  • {DELAY <ms>} - Delay typing for ms milliseconds
  • {CLEARFIELD} - Clear the input field before typing
  • {TOTP} - Insert calculated TOTP value (if configured)
  • {<ACTION> <num>} - Repeat <ACTION> num times (e.g., {SPACE 5} inserts five spaces)

To insert fields use:

  • {TITLE} - Entry Title
  • {USERNAME} - Username
  • {PASSWORD} - Password
  • {URL} - URL
  • {NOTES} - Notes
  • {TOTP} - Current TOTP value (if configured)
  • {DT_SIMPLE} - Current date-time
  • {DB_DIR} - Absolute directory path for database file
  • {S:<attribute>} - Value for the given attribute name
  • {REF:<field>@<search_in>:<search_text>} - Search for a field in another entry using the reference syntax.

Backup

Better not use a local database and make a backup in the cloud. Do it the other way round: Use the master on the cloud so that you can use multiple devices and make changes in all of them. For the safety make local backups using the menu or a shell script to do it regularly.

Multiple Databases

If you share passwords with other people it is often useful to have an extra database for each group. But while you need multiple of them you won't open each one individually. Therefore you can make one personal (master) database which contains the link and passwords to open all others automatically for you.

  1. Make a group called AutoOpen directly under Root.
  2. Create a new entry under AutoOpen and give it any title you wish.
  3. If your database has a key file, enter its absolute or relative path in the username field.
  4. If your database has a password, enter it in the password field.
  5. Enter the absolute or relative path to the database file in the url field like file:///home/alex/private.kdbx.
  6. To restrict auto open to particular devices, go to the advanced category and enter the following:
    1. Create a new attribute named IfDevice.
    2. Enter hostnames in a comma separated list to define computers that will open this database.
    3. Prepend an exclamation mark (!) to explicitly exclude a device and allow all other ones.

If you have multiple databases you also have to make multiple connections in the Browser Plugin, for each you want to use.

Further features

You may also have a look at: