Best way to use KeePass, KeePassX or KeePassXC

KeePass(X)© is a password manager based on a file database.
I would like to use Seafile to synchronise my KeePass(X)© database between my computers and smartphone.
I haven’t found much relevant threads, and the threads I’ve seen mentioned some problems (DB overwritten with old versions).
It would be nice if someone can confirm that it really works and with which kind of setup.

Thanks in advance,

Keepass 2 just works. Just sync the folder the database is in.

Keepass2 works well on Linux systems. You can use it directly with the WebDAV URL or with the keepass db file in your Seafile synchronized folder.

I changed to KeepassX recently because it does not depend on mono. It works very well, too. But I noticed, that opening the Keepass file with KeepassX leads to creating a hidden temporary file which Seafile then sychronizes and deletes it after the database was closed. This was a bit annoying so I made a seafile-ignore.txt to exclude the temporary file from syncing. You can look how to to that here: https://www.seafile.com/en/help/ignore/

Hello.
I’ve used Keepass for some years and switched reacently to KeepassXC 2.2.0, because of their community effort and because it is running much smoother on my Linux machines, than Keepass on Mono. On Android I’m using Keepass2Android, which is a very good app.

First things first: If you use Keepass (and derivates) everything is saved in one single file! And that is the the crux. Of course there is a database in it, but you don’t access just a database, you access and change one single file, its time stamp, …
Second: When you now look closer to file services like Seafile, Dropbox, etc. and the way they work, you will see, that even if they support delta sync (Seafile does, when using the desktop clients) the smallest entity for the user to see and for apps like Keepass to use is the file. So, there is always just one version of your keepass database at the same time available.
Conclusion: If you sync your Keepass database (remember: just one single file) over different devices (maybe not always in sync because of not always online; simultanious use; worst: more than one Keepass database user, …), you can/will very likely end up with different versions/file conflicts/overwrites and so for the worst case with password loss.
(Seafile has very good file versioning and okeyish conflict handling (Dropbox and Co. are not better in this point), so you might restore every version of you DB file, BUT in these use case scenario you first have to realize that you maybe have created some mistakes at all.)
So, to summerize: If you are a very careful user, syncing a keepass database with such services like Seafile over different devices, can work, but is very, yeah let’s say, dangerous. (Can be with a simple document file and a syncing services, too :wink: .)

For me I choose the following solution:

  • The Keepass database is synced by the Seafile client over my different PCs. In my case, I have one “main working machine” and I try to always change my keepass database only here. (If I change it elsewhere I make a note and check the sync, but it’s better to note the change and catch up with it later on the main machine.)
    So after all: Only one device writes changes, the other devices are read only. Mostly you just need your passwords and don’t add/change a lot, so this is ok.
    (In addition: This way of use will become much safer, when Seafile gets “read-only-sync” in later versions.)

  • On mobile, I deploy my Keepass database manually by just simply downloading the file via the Seafile Android App or at home in my network over samba. So, on my mobile phone the database can be outdated, but I always have one version on my phone and always can get the newest database version as long as I have internet access. So this is ok, too. I use Keepass on my phone also as read-only.
    If you want a decent sync on mobile, there are two main solutions:
    .1. Because the Seafile mobile app has no sync feature, you can use one of the many mobile sync apps which support sync ober Webdav and sync it over these apps and Seafile’s Webdav. (Remember: Webdav is not working with encrypted libraries.)
    .2. You can automate the sync at home in your network, via samba, ftp, … There are apps for this as well. As soon as your phone logs into your network, a new version of the database will be deployed if there is any.
    .3. You can directly access your database in the seafile cloud with Keepass2Android via Webdav and the app will provide you an offline version of the database as well in case you loose internet connection. (Thanks @epinez!)

I hope this will help you a bit! My clunky solution was the only way for me to have my passwords available on all my devices and not using services like lastpass. I would never give my passwords to an external. So I must live with this trade-off.

Let me know what your thoughts are.

Greets Nytrm

EDIT: @epinez mentioned that Keepass2Android will hold a offline version in case you access the keepass database via webdav.

3 Likes

That’s not true. Keepass2Android keeps a local copy of the database. If there is no internet access, Keepass2Android uses that automatically and even gives a hint about that.

Sorry didn’t read everything but at least keepass2 detects changes between the opened database and it’s saved version andn syncs them internally.

Thanks, I did not know that. This is quite nice. (I edited my previous post, that there is no wrong information.)
I’m very interested. Do you know how Keepass2Android reacts, when

  • you have opened the database in Keepass2Android via webdav
  • then your phone goes offline and you change something in the database and save it (or does it prevent it with read-only)
  • in the meantime another client changes the database and the save is synced to the server
  • now your phone gets online again and you have two versions of your database
    What does Keepass2Android do?

Yeah, but that does not solve all risks of conflicts. And as long as the service (= Seafile) which handles the synchronization/merging of versions/consolidation of data (= Keepass database) can not handle the conflicts within the database on table level (see and compare to some todo apps with offline functionality and Lastpass), you can’t get these risks solved. And this is of course seafile sees the file and not the database semantic, because seafile is made for file synchronization, not for database synchronization. In Seafile overall the database is synced as a file, not as a database. Most risks are remaining, no matter what Keepass does. There is always the risk, that when some conditions are given, you get your …

Thanks for the very detailed answer !
I don’t understand what you said about the Seafile mobile app not having sync feature. Can’t you sync manually ?
I would just open the KeePass file on my Seafile mobile app and if I realize that I am missing an update, I will trigger the sync (as long as I have internet access).
Of course I won’t have an automatic sync, but at least I’ll have the encrypted libraries (and 2FA when it arrives on the community edition).

If you mean syncing manually in a way that you choose and setup folders or files in the seafile app and whenever you open the app/push a button your folder/file located on your mobile file gets updated or push something new to the server (= sync), that is not possible with the seafile mobile app. And you won’t get a notification in the app either if something has changed on server.

If you know, that you have an updated version on the server and your local file on your phone is outdated, you can browse in the app to the file/folder and download it again, so it is up to date. If you change the file on your phone and save it, you can upload the file to seafile server and overwrite the old file there. That is what I mean with “manually”.

I am with the iOS app, and when I pull down the screen, it is written “Pull to Refresh”. It’s only refreshing the files list and not updating the files which have already been downloaded then ?

Update : I just tried and the iOS app and pulling down the screen really trigger an update. Because it really recognizes the updated file (and delete the previously downloaded file without downloading the new one)

To avoid that the database file might get into different versions I’m using a very different scenario:

I’m keeping one db in a seafile folder which gets syncronized between different PC. However I’m using a different db when I open KeyPass - and then let KeyPass syncronize against the Seafile-DB. Keypass has a very good sync feature on it’s own. And when you open KeyPass on another PC I first sync against the local Seafile DB. This allows to enter on any PC passwords and being sure it’s sync then to all devices as well.
In addition I’m using a keyfile on the different devices which are not stored in seafile, so whatever happens the file is always secure.
For smartphones I only download the db, never enter new data.

I’m not quite sure, because I’m using the Android version, but I think only the file list (the view of files and folders on the server/time stamps, …) is updated, like a site refresh in the browser. At least, this is the behavior on Android.


@Wanni

Your solution sounds very interesting!
What exactly do you mean with:

Do you mean another KeepassDB or another Seafile library. If you don’t mind, could you explain your scenario more detailed, because I’m a little bit dense :grin: and don’t get it completely. Thanks

Interesting about the keyfile. But how to use a keyfile with iOS ? There is nowhere you can store the keyfile ?

Update : I used the app ‘Documents’ to get the keyfile from my NAS. Then when I send the keyfile from ‘Documents’ to ‘MiniKeePass’ and then I send the KeePassXC database from ‘Seafile’ to ‘MiniKeePass’ and it works ! Seems to be even better than 2FA !

1 Like

Oh I see what you mean. Now I understand. We can update the file list but not the files themselves (and usually the files are not downloaded unless we explicitly download them). And triggering an update (at least on iOS) even delete the old file without automatically downloading the new file.

Correct

If you delete your already downloaded files, nothing will happen either. The seafile mobile app is, except the photo and contacts auto upload/back up function, just like the seafile web interface, with even less features.

A picture tells much easier the story :slight_smile:

2 Likes

@Wanni
Many thanks!!!

EDIT: I really like your setup. You solve the downsides of syncing a database file with a file service, because you split up the the process of database merge/sync and the process of file sync.

On PC, I just use the ordinary seafile sync keeping the file in a separate folder. I generally don’t have a problem with multiple versions because I’m usually just editing it on the main computer and am online most the time with my laptop.

I have seaDAV turned on and use an app called FolderSync to keep it synchronized to my Android device. It can do two ways if the phone’s version changes due to an updated passowrd. I use Keepass2Droid but only on the local file that’s synchronized by FolderSync. FolderSync is reasonably efficient about checking for changes, so I have my phone set to syncrhonize it often (most the time it just connects and verifies no changes.

For security, I have my firewall on the seafile server set to only accept access via a VPN tunnel (openvpn running on the server) and I have always-on VPN on the phone that conects to separate VPS nodes that redirect all traffic (and are then connected to the seafile server).

By the way, I use the same setup to backup various items from my phone out to the seafile server (e.g. photos, etc.), but on a daily frequency set only to do so over wifi while charging.

PS: Foldersync supports other file sync things too, so if you don’t want the VPN solution and aren’t comfortable with the level of security offered by webDAV, then that could also work given that Keepass files are small