KeePass and Ubuntu 2020 Setup (with Chrome, Firefox)?
I spent about a day and a half working through all the various and mostly out of date KeePass option for Ubuntu (Kubuntu). I want to share what I've found and ask for other answers regarding the many approaches and defunct options.
First I wanted to collect the relevant question from this site, several of which are almost a decade old. These are ordered by most votes as that seems to be what Google uses and where I landed first was the top one.
- Where is KeePass2 plugins directory?
- How to integrate KeePass2 and Firefox using Kee in Ubuntu 16.04 - 18.04?
- How to integrate KeePass and Chrome/Chromium using ChromIPass?
- KeepassX vs KeepassXC
- What's the best way to handle passwords in Ubuntu (Application + Browser PlugIn)
Let me explain my path so far.. Starting in Windows, loved this simple yet powerful lightweight password manager. Never connected it to the web, but kept the DB file inside a Vercrypt container. I was using LastPass because of its good entry field recognition for saving new PWs and the mobile use for $12/yr. Then they doubled the price, and recently again, until its $40/year now.
I have been using KeePasXC on Kubuntu 18.04, because after searching around I thought I might want the browser integration, and it seems to work okay, but I kept searching for the synchronize databases or remove duplicates functions. Its just that XC doesnt have these standard KP features. I dont know why because I believe the KP source code is freely available. Anyway, recently I finally ditched LP and moved to KeePass2Android, which works remarkably well. It syncs to all kinds of cloud services, so I put all the non-important accounts I had in LP into a KP DB and onto Google Drive. (btw, to convert LP to KP, use this field sequence 6,5,2,3,1,4,7).
Now Ive been needing to setup a desktop browser integration using the same db file on Google drive. So searched through all the various forms of KP, KPx, KPxc, KPrpc, Kee, KeeVault and a number of others. Tusk seemed to have the most reviews on the Chrome Store and it does connect with a shared GDrive file. However, it doesnt ask to save any passwords. Plus I really needed a editor that would sync, to delete a few entries I dont want in the cloud anymore. So, I found a plugin for GDrive, but KPxc doesnt use plugins. Too bad because KPxc does have ask to save. The response suggested I use the gdrive-org client, however it appears to no longer connect with error "Sign in with Google temporarily disabled for this app..This app has not been verified yet by Google in order to use Google Sign In." from Google. Other sync clients I tried like grive, have the same error.
So I went back to trying to get the plugins to work again with the error "The plugin cannot be loaded a newer .NET framework is required". Trying mono-complete, wine64 (which has wine32), winetricks with dotnet 4.5, msitools for wine. I tried installing the gsync plugin, tried adding the log4net.dll, read other exhausting and possible fixes, tracked down the error, tried all those fixes. In one of those I found a solution to use Dolphin's network connection to sync the db file, but it had some caveats that are not so smooth. I still couldnt get KP on wine or mono to connect to a cloud.
Reading the official KP documentation, it seems the remote file URl was built mainly for Dropbox. And because the GDrive sync client werent working I pursued DBox. Still couldnt get KP to connect, and even Tusk was failing to connect to it. So back to KPxc, but it turns out because Im using portable Chrome installations in Veracrypt volumes which close automatically on powercut, it wasnt finding the 'proxy' to connect the browser). I very nearly gave up and paid for KeeVault, which is at a noble price point, but read some reviews first and they reminded me how much I dislike trusting a 3rd party for data storage. Granted Gdrive isnt much better, but I will fight using Dbox tooth an nail because their breach exposes several of my email addresses which have led to phishing attacks. At least GDrive is erring on the side of caution per their error message.
Finally, Ive resolved to manually syncing the db file after editing and all I want is a browser integration that asks to save. It turns out that Kee without using KeeVault but using KPrpc which finally has a plugin that works with mono-complete, and has ask-to-save.
So if I've missed any options that fulfil the requirements I've stated, or that does allow syncing to a remote db file automatically on change, please let me know. I see regular KP does have 'triggers' which would start such an action, but if there are no GDrive clients which currently connect, Im at a loss. I did find rclone, which has many cloud config options, and I believe may connect to GDrive, but would need to write a script to integrate them. After all KeePass2Android can connect to GDrive, and it even has an option to only authenticate a connection to a single folder in DBox instead of the whole drive.
Apparently, the following from the other question/answers above are currently unmaintained: Tusk, ChromeIPass, PasslFox.. KeePassHttp may still work, its still in the Chrome Store.
KeePass with KeePassRPC plugin installation is best summed up here: https://askubuntu.com/a/291309/795299 probably derived from here.
sudo apt-add-repository ppa:jtaylor/keepass
sudo apt-get update
sudo apt-get install keepass2 mono-complete
sudo mkdir /usr/lib/keepass2/plugins
sudo apt install curl
sudo apt install jq
curl -s https://api.github.com/repos/kee-org/keepassrpc/releases/latest | jq -r ".assets[] | select(.name | test(\"KeePassRPC.plgx\")) | .browser_download_url" | xargs sudo curl -s -L -o "/usr/lib/keepass2/plugins/KeePassRPC.plgx"
A couple final notes:
- KeeVault trial will interfere with KPrpc temporarily.
- KPrpc asks for a code from a window that should pop up, it took a few tries for me.
- Also, see discussions about increasing the number of iterations from default of 6,000 if you have a short password.
- And a good short summary of using KPrpc: https://www.ghacks.net/2020/01/08/kee-is-a-firefox-and-chrome-extension-that-can-auto-fill-passwords-from-keepass/
So far I like @cmak.fr's suggestion of ButterCup.pw. I will likely post a review of it here.
There is a pretty good current discussion of BC here, although it seems it now does auto-logout after x minutes and ask to save new:
https://www.ghacks.net/2019/07/30/buttercup-open-source-password-manager-windows-macos-linux-firefox-chrome/ Actually, upon install in the desktop app sudo dpkg -i buttercup-desktop_1.19.0_amd64.deb
and a couple of glitches, it doesnt find my kdbx file to convert, so maybe I have to put the file in a special dir? There is no file manager to open files. A bit unpolished.
Also, interesting, from the related Chrome extensions of BC.pw is LessPass, which uses a master pw, the site, your login and a length to create a recreateable password. This might be a good option for less important accounts. Although, a targeted attacker might have the site and login from a compromised email. That still leaves the master and length (which would likely be reused) to have to hack. If a login were used perhaps using unique substitution rules for the website address, that might be enough to make it very difficult to hack. That said, it does have the advantage of them being not all stored together.. interesting idea. I suppose the master and length could also be varied by say category of service.
LessPass How Does It Work? - LessPass
Then again, there's nothing like the piece of mind from a very long and random string from a password manager.
EDIT1: Yeah, the more I use the original KP, the more I remember that I was missing basic features like 'Find Duplicates' that can give you a preview before Removing Duplicates sorted based on identical passwords and then alphabetically. Thats useful for syncing (or merging) files from different sources (Google), that might not look like the same entry. Although it looks like any collisions would be stored in history, and they are compared by a 'combination of user name / password' (https://keepass.info/help/v2/sync.html). I also miss having the automatic LastPass (and many more) file import vs manually setting the fields. Auto-type would be nice, and should work on linux, but not for me. https://thelinuxexperiment.com/set-up-keepass-auto-type-on-linux/
EDIT2: Glad to see it helped at least one person. I did get Autotype to work on Linux with both KPXC and KP2 running on Wine (not using a keyboard shortcut setup from the link above). Both still minimize the apps into the background, unlike the original KP on Windows (which I've suggested KPXC change because the Autolock on Minimize feature conflicts with it). KP2 with Wine, the fonts arent great but it works, and autofill works with the Kee Extension for Chrome. And I just make sure I sync any changes to the cloud with KP2 or KP2Android before making more changes to the non-current db file. I just wish I could preview those changes for any potential collisions.