Password managers are all the craze nowadays. The general advice seems to be something along the lines of: “use a password manager, set a unique password for every site, and be less stressed about remembering a million things”. It’s safe to say that more and more people are being pushed to use password managers. And by all means, you absolutely should use a password manager. Today’s post outlines a particularly useful feature of KeepassXC that makes it behave more like a cloud-based password manager.

Cloud based password managers scare the absolute crap out of me. It’s a hot-take, I know. Because of this, I like using an offline solution to manage my general password “complexness”. I also suggest you consider doing the same. Why? Well, I don’t know what Lastpass or 1Password are doing with my data. It’s going somewhere, sure, but where? How many times is is being copied? Is it actually encrypted? Agh! I probably sound paranoid, but it’s this general paranoia that pushes me to use offline password managers.

Some background

Keepass-based password managers are fantastic until you want to manage your password database from multiple difference devices. When all of your devices update, add, and remove entries from your Keepass database, everything almost immediately begins to break down.

The makers of KeepassXC created, in my opinion, a rather elegant solution to keeping your Keepass database in-sync between multiple trusted computers. They call it Keeshare.

Keeshare can be used in a few different ways, but in today’s post, I’ll be describing the Synchronize setup. In this setup, all computers that utilize Keeshare are kept in-sync with each-other. If any computer makes a change, that change propagates to all other computer’s using a single file that stores database changes/differences.

Requirements

  • KeepassXC is installed and you have a Keepass database setup
  • A cloud or local syncing software is setup (eg. Dropbox, Google Drive, OneDrive, Synology Drive, etc)
    • I will be using Google Drive in this post
  • A second computer (or computers) with KeepassXC (new/empty database) and the same cloud/local syncing software installed and configured

Setting up Keeshare

Let’s get rolling. Identify the computer that already has the Keepass database with entries. We are starting with this computer.

  1. Open the KeepassXC settings, and find Keeshare on the bottom of the left scrolling section.

KeepassXC Settings

KeepassXC Keeshare Settings

  1. Click Generate and write something describing your device in the Signer section.
  1. Check Allow import and Allow export

  2. On your second (and third, and on) device(s), go ahead and follow these steps again

And now you’re done! You’ve configured your devices to use Keeshare, allow for import of entries, and allow for export of entries. You have also created a signing certificate for each computer and assigned a name for the signature.

Synchronizing Entries

Now, we need to setup what entries to synchronize between machines

  1. Right click on the Root group entry

  2. Click Edit Group

KeepassXC Root Entry

  1. Find Keeshare on the left scrolling section, set Type to Synchronize – You can find more information about the different sharing types here

  2. Save the keeshare sync file somewhere monitored by your file sync software (eg. Google Drive, Dropbox, etc). If using Google Drive Sync, this will be G:\... on Windows. Just make sure where ever you save this file, your file sync software is monitoring this file for changes.

  3. Pick a strong password to secure your keeshare sync file. This password should be different than your keepass database password and should be considered just as sensitive.

KeepassXC Keeshare Settings for Root Group

  1. Go ahead and follow these steps on all other devices. Ensure you use the same file name and password for all other computers.

And you’ve successfully setup your KeepassXC to write Keeshare sync information to a file. That file should be monitored by your preferred file sync software for changes, and the file sync software should distribute the file between all computers as changes are made.

Forcing an initial sync

Hang on - we’re almost finished. We need to make a simple change on each connected device so that all of our devices are aware of each-other’s existence. Simply put, we are creating a trust relationship between each connected device. We do this once for every new device.

The easiest way to force a sync is to make a minor tweak to any Keepass entry which will force Keeshare to write a sync file change. It can be as simple as writing a note in an entry or updating an outdated password. Any change will do.

  1. Make a change to any entry – something as simple as a note will work

  2. Wait for your file synchronization software to sync changes between devices

  3. A pop-up should appear on all other devices asking to Import from container with certificate

At this point, you should validate the following pieces of information:

  1. The name matches the other device’s Signer
  2. The fingerprint displayed matches the other device’s Fingerprint from Setting Up Keeshare

KeepassXC Trust Relationship

  1. Select Always if you never want to be prompted again

  2. It’s advised to do this on every device, so you can create all the necessary trust relationships upfront instead of getting pop-ups in the future.

And now you’re done!

Wrapping Up

Here’s a quick summary of what was just accomplished.

All participating devices were configured to allow import and export using Keeshare. A client certificate was created for each device and hopefully appropriately named. The root Keepass group (the top-most group) was setup with Keeshare to write changes to a local file. Now, whenever a Keepass database change happens, the difference is written to a Keeshare file. That file is tracked by external syncing software and distributed to all other devices. Each device reads that Keeshare difference file, rectifies the changes, and incorporates the changes into the current local Keepass database.

Whew - Sounds complex, but luckily, Keeshare handles all of it relatively seamlessly.