Geuni/ August 17, 2020/ Englisch/ 4 comments

1) What do we want to achieve?

I am a very enthusiastic user of KeePass and have always wondered how I can seriously use my KeePass anywhere, so I really never have to remember a password again. My solution to this is through my NAS and my own ReverseProxy container.

So I want to store my KeePass file on my NAS at home (not in the cloud). Furthermore I want to enable data exchange between my NAS and the end devices over the Internet using TLS.

2) What do we need?

Ideally, you already have a ReverseProxy set up, as I described in my previous posts and you can now focus on KeePass and some configuration work.

Furthermore you need KeePass on your desktop and/or your Android smartphone (I will describe these two platforms) where you have an app like KeePass2Android installed.

Recently I also did this with an iPhone but I won’t describe here how I did it, because it was buggy, so the solution is not yet that good for daily use. But it also works with iPhones, that much is said!

I always recommend to encrypt a KeePass file with a password and a password file. That brings you the disadvantage that only a device where the file is available can use KeePass, in other words, only the device that has your password file and someone who knows your password can open your database.

This is something that everyone has to decide for themselves.

3) KeePass and a server

I have now created a share on my NAS specifically for KeePass and a user who can only access this one directory.

Qnap Controlpanel to add a new User only for the usage of the keepass database
Qnap Controlpanel to add a new User


Now create the share folder and then authorize the user to access it and, in my case, deny access to everyone else.

Qnap Control panel to add a new file share for your keepass database
Qnap Control panel to add a new file share

That should be all we need to do in the Qnap system itself. Next we turn to the Apache container.

4) Make Apache DAV-Ready

We have already built an Apache as a reverse proxy, so we don’t have to do that much. We first need a new virtualhost in our Apache config file. My whole config looks like this:

Apache httpd
    #WEBDAV / KeePass
    <VirtualHost *:<Port>>
        # Der Name mit der vhost angesprochen werden soll
        Servername <prefix>.<domain>.<tld>
        # Aktivieren der SSL-Engine (überflüssig wenn ihr es global macht)
        SSLEngine on
        # definiere HSTS für TLS
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # definiere die erlaubten Protokolle in TLS
        SSLProtocol             all -TLSv1 -SSLv2 -SSLv3
        # definiere die erlaubten Ciphers, sowie deren Reihenfolge
        SSLCipherSuite          'kEECDH+ECDSA kEECDH kEDH HIGH +SHA !aNULL !eNULL !LOW !MEDIUM !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4'
        # Erzwinge unsere Cipher Reihenfolge
        SSLHonorCipherOrder     on
        # Mache keine TLS-Komprimierung
        SSLCompression          off
        # Mache keine Session-Tickets
        SSLSessionTickets       off
        # Pfade zum Zertifikat und der Kette sowie dem Key-File
        SSLCertificateFile      /<path>/<to>/cert.pem
        SSLCertificateKeyFile   /<path>/<to>/privkey.pem
        SSLCertificateChainFile /<path>/<to>//chain.pem

        # Spezial-Header die ihr braucht, damit KeePass und WebDav funktioneren
        RequestHeader 	append 	"X-Forwarded-Proto" "https"
        RequestHeader 	set 	"X-Forwarded-Ssl" "on"
        RequestHeader edit Destination ^https http early
        <Location "/">
            ProxyPass        http://<IP>:<Port>/ retry=0
            ProxyPassReverse http://<IP>:<Port>/
            # Spezifische WebDav Funktion über diese wir die KDBX laden werden
            DAV on
            Options +Indexes
        </Location>
    </VirtualHost>

With this config you ideally create a new sub-domain and this accepts WebDav via TLS.

If you have deactivated WebDav on your NAS, you have to set it up and authorize your previously created user for it first!

5) Set up KeePass file

Now, if you don’t already have it, set up a KeePass file, your KDBX. This is very easy to do in the KeePass client, once you’ve started the application, click on “File -> New” in the top left corner and set it up as you wish.

I recommend a key file with an additional password. If you do this with the key-file, you will need to distribute the key-file on all devices.

A small excursus: You could also make the key-file available on the internet via your server by securing the access to it in any way. I think that makes little sense, because then you would distribute the password file and the database on the same system, and you would have to protect the password file with a password for the download, which would weaken the security again. Furthermore, if the file is available on the internet, there is a possibility that someone can get it. I would therefore not recommend it. Manual distribution is better here.

PS: I’m working on solving this by certificates, but it will take some time until I can take the time to build it.

6) Integration on the Desktop (Windows)

The integration on a Windows desktop is very simple. You only need to download the application. When the application is started, top left, File -> Open With Url -> give your URL, until the file. So it could look like this:

https://prefix.domain.tld/Folder/File.kdbx

Here you can also enter your user data to enable WebDav access. Only then you enter your password and the key-file file for the database in the next dialog.

If you don’t want to copy the passwords out of the database, you should connect to your browser of choice with a browser plugin to KeePass.

I use Chrome and have the plugin Chrome-iPass for this. This creates a local connection to KeePass and can then enter all my data into the forms.
How to use KeePass is not explained here in detail, you can find that out for yourself.

7) Integration with Keepass with Android

Since version 9, I think Android has a service that allows password safes to be integrated into the system. Everything before that, does not work as described here!

I use the app “KeePass2Android” and the “KeyBoardSwap-Plugin” and the “AutoFill-Plugin” from the app. You install the app first. Port your key-file to your smartphone and select “HTTPS (WebDav)” when opening a file and enter the exact path to the KDBX database as described above, plus your WebDav login credentials. Only then enter the password and the key file for the database.

If you want to, you can link the unlocking of the database with your fingerprint, for example. I personally do this, because comfort is still important to me! But everyone can decide that for himself.

In order to use the app quite easy we need the two mentioned plugins. One plugin enables us to use the AutoFill and the other one takes over the “copying” of the data into the browser, for example.

So we go to the settings in the app and choose plugins. Then we land on a GitHub page, click on the desired plugin, then find a description that reminds us of a “forum”, where you can find assets folded below. If you unfold it, you can download the APK, which you can then install. The same applies to the other plugin.

Remember: You have to tell Android that you want to install “unknown sources”. In this case you can do that.

Unfortunately the configuration is not finished yet. You have to go to the settings of Android, search for “AutoFill-Service” and select the KeePass2Android AutoFill.

If you now have installed the second plugin for the keyboard, we need a USB cable, connect the smartphone to the PC, start the app on the phone and a CMD on the PC. In the CMD we now need the so called ADB-Shell, where we execute the command that is shown in the app. This allows the app to switch keyboards on its own. Nothing more.

This means that when we enter a password in the browser, the keyboard of KeePass2Android will be activated. With this you can simply copy the data and with the ready button everything is confirmed, the login is started and the old keyboard is activated.

So if you want to use passwords in chrome you click on the three dots (upper right corner of chrome) go to Sharing, select KeePass2Android and if the info website finds a match in the database, it will be displayed and can be selected, alternatively you can search manually.

So you have your KeePass file embedded in the Android system, you can use it for apps and websites. Sometimes a bit cumbersome, which is probably more friendly, but here we have the advantage that everything is open source, we always have all the data in our hands and no one else gets it.

8) Backup

So now we have the data at home on the NAS. Depending on which RAID we have set up, we may have some form of redundancy. But we can simply delete the data by mistake, or an error in the clients we use will simply destroy the database; for this we need a backup!

There are many ways, for most, I mean that seriously. A manual backup of the file every few months will most likely be sufficient. Best is to save the file in an encrypted ZIP on another cloud storage, without your key file! Write down the password used there, put the note in a place where you can find it again!

I have automated this a bit. For this I use QNAP’s own backup solution and simply set up an encrypted backup on my DropBox account. Disadvantage of the solution is: QNAP has an interesting system for encryption. Instead of what I expected it to do, it stores complicated files that I don’t understand and don’t really want to deal with. This means that I need the QNAP backup client / software to restore a backup and that I can’t do that on any system that can unpack ZIPs.

PS: I still have the manual version, but that happens once a year.

9) Conclusion

We have managed to publish our KeePass file on the Internet on a secure web or make it available to us.

We have installed clients on desktop Windows PC and Android, as well as integrated the clients via plugins into the most important ecosystems to have comfort and to manage the data safely at home.

I have been using this design for years now and it works very stable. The clients can synchronize the databases live, I have never had a problem with the construction until now and if I do, I have a backup!

10) Outlook

Phew, we’ve done a bit of work already. Contacts are under control. Calendar is under control. Passwords are also under control.

Let’s look at the home network, see what’s going on. We’re going to build a PiHole as a docker and filter content on our network.

Let me say it in advance: No we don’t filter everything with it, only what is resolved by DNS and only if the end device allows us to configure the DNS and not to communicate on a direct IP basis.

Let’s see how long that will take until I finish this article.

Share this Post

4 Comments

  1. hello,

    I have setup keepass with the kee vault extension in chrome and keepasstodroid+autofill plugin
    I store the psw file on my qnap webdav, accessing it both from my laptop and android

    my only fear is how much we can trust those programs and extensions?
    what would prevent the author of these programs to steel the passwords and communicate them to a remote place?

    the only way is to read all source code and compile my own version of it?

    1. Hi, I’m sorry that you are right. If your fear is such deep you would have to Check all the Code yourself or rely at least on Public Audits of the Code or Programm you use.

      1. Thanks for your reply. By the way this article is super, I forgot to say it in my previous post!
        As you said I tend to trust it, expecially the Keepass main program as it is used worldwide by milions of people.
        And I don’t want to offend the author of browser or android extension , but i dont know them, that’s why I am always cautious about the way to store such sensitive information. Are you aware of some pubblic audit of these extensions or you simply trust them?

        1. Hi, thank you very much that you Like the article. I am not aware of any Audits of those Extensions. In that Case I simply Trust the Extension list on the keepass Website. So its Like an inherited Trust even though I dont know how Plugins come in that list.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*