{{Header}}
{{Title|
title=KeePassXC Password Manager
}}
{{#seo:
|description=KeePassXC Password Manager
|image=KeePassXC.svg
}}
[[File:KeePassXC.svg|KeePassXC Icon|thumb|250px]]
{{intro|
KeePassXC Password Manager
}}
= Introduction =
[https://keepassxc.org/ KeePassXC] is: [https://en.wikipedia.org/wiki/KeePassXC]
...a free and open-source password manager. It started as a community fork of [https://en.wikipedia.org/wiki/KeePassX KeePassX] (itself a cross-platform fork of [https://en.wikipedia.org/wiki/KeePass KeePass]). ... The [https://en.wikipedia.org/wiki/Electronic_Frontier_Foundation Electronic Frontier Foundation] mention KeePassXC as "an example of a password manager that is open-source and free." The tech collective PrivacyTools has included KeePassXC in their list of recommended password manager software because of its active development.
KeePassXC is recommended by the EFF in their [https://ssd.eff.org/en/ Surveillance Self-Defense] guide [It is also recommended by [https://www.privacytools.io/ PrivacyTools], see [https://www.privacytools.io/#password here].] and it is considered a feature-rich, modern and fully cross-platform password manager; refer to the [https://keepassxc.org/#project features list] and [https://keepassxc.org/docs/#faq-format FAQ] for more detail. The benefits of a password manager include: [https://ssd.eff.org/en/module/creating-strong-passwords]
* Strong and unique passwords can be created and stored by the one application.
* Responses to security questions can be safely stored. [It is recommended to provide fictional information to security questions in order to limit personal disclosures. Honest answers might be discoverable by adversaries who then utilize it to bypass your passwords completely.]
* All passwords can be protected by a single master password/passphrase.
* This methodology prevents the reuse of passwords across multiple services, which is a poor security practice.
* This provides better account protection, particularly when combined with [[Two-factor_authentication_2FA|Two-factor Authentication (2FA)]].
Note that KeePassXC does not automatically save changes when it is used, so this should be changed in the settings (otherwise unsaved password changes could be lost).
Reliable, open-source password managers are a useful tool but they also come with risks:
* Password managers create a single point of failure.
* Research suggests coding vulnerabilities are present in many password managers.
* Highly capable adversaries are likely to target password managers.
* Avoid storing passwords "in the cloud" (on remote servers) -- this is more convenient but introduces the risk of a cloud vulnerability leading to an exploit.
* Avoid crossing remote borders with electronic devices containing your password manager -- some jurisdictions can compel/demand password disclosure and the unlocking of devices. [The US border is a case in point, see: [https://www.eff.org/wp/digital-privacy-us-border-2017 Digital Privacy at the U.S. Border: Protecting the Data On Your Devices].]
Before using a password manager like KeePassXC, conduct a risk assessment of your personal circumstances. If you are likely to be targeted, then consider creating [[Passwords|strong passwords]] manually instead and storing them in a safe physical location. One suitable method is EFF's [https://www.eff.org/dice Dice-Generated Passphrases] via their [https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt long wordlist]. Note that passphrases should be at least [[Passwords#Diceware_Password_Strength|six words long]]; passphrases of 15 words or more will protect against future quantum computer advancements. [Quantum computers halve the number of iterations required to brute-force a key. This means doubling the length of symmetric keys to protect against future (hypothetical) quantum attacks.]
= KeePassXC Setup and Use =
== Installation ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = If keepassxc will replace Google Authenticator -- actually time-based, one-time password (TOTP), see: [[Two-factor_authentication_2FA|Two Factor Authentication (2FA)]] -- then a Debian-based VM is more suitable than a {{project_name_workstation_long}}-based VM. [This is because accurate time is a precondition for TOTP -- {{project_name_long}} randomizes this value due to [[Boot Clock Randomization]] and [[sdwdate]].]
}}
{{Box|text=
'''1.''' It is recommended to install keepassxc inside an offline (vault) VM.
* In [[Qubes]]:
** apt package installation can be completed in the Template.
** Download and verification can also be performed in a temporary TemplateBased AppVM, ideally [[Qubes/Disposables|Qubes Disposables]]. Next move keepassxc to an offline vault VM.
* In [[Qubes|{{non_q_project_name_short}}]]: install keepassxc first, then disconnect the Internet and never re-enable internet access. TODO document
'''2.''' Install keepassxc.
Note: The packages yubikey-personalization and yubikey-personalization-gui are YubiKey-related. If YubiKey is not in use, skip the installation of these packages and only install keepassxc.
{{Install_Package|package=
keepassxc yubikey-personalization yubikey-personalization-gui
}}
'''3.''' ''Optional:'' Install the browser plug-in for keepassxc.
It is possible to install the official KeePassXC browser plug-in for FireFox/Tor Browser, see [[#KeePassXC Browser Extension|KeePassXC Browser Extension]] for instructions.
}}
== Autostart KeePassXC ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = This is an optional configuration to autostart keepassxc.
}}
{{Box|text=
'''1.''' Create folder ~/.config/autostart/.
{{CodeSelect|code=
mkdir -p ~/.config/autostart/
}}
'''2.''' Create a keepassxc.desktop file.
{{Open File|filename=
~/.config/autostart/keepassxc.desktop
}}
'''3.''' Paste the following content.
{{CodeSelect|code=
[Desktop Entry]
Type=Application
Name=keepassxc
Exec=keepassxc
}}
'''4.''' Save the file.
The process is now complete.
}}
== KeePassXC Usage ==
{{Box|text=
'''1.''' It is recommended to use an offline (vault) VM.
'''2.''' Ensure the clock setting is correct.
{{project_name_workstation_short}} is unsuitable due to [[Boot Clock Randomization]] and [[sdwdate]] clock randomization. (Unless disabled and offline.)
'''3.''' Launch keepassxc.
{{CodeSelect|code=
keepassxc
}}
'''4.''' Create a new database.
'''5.''' The default file name Passwords.kdbx is acceptable.
If [[Full Disk Encryption]] is already configured, a very simple password can be utilized; this is a personal choice.
'''6.''' Left click on root.
'''7.''' Add a new entry.
* Navigate to the Menu → Entries → Add new entry → under Title: write any name name (such as test) → OK.
'''8.''' Add a time-based, one-time password (TOTP).
* Right-click on the new entry (such as test) → Time-based one-time password → set up TOTP → Default RFC 6238 token settings → paste 2FA code → OK.
'''9.''' Reveal a TOTP code.
* Right-click on the new entry (such as test) → Time-based one-time password → show TOTP.
}}
== Troubleshooting: Time Fix ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = These steps are for troubleshooting when TOTP codes do not match. [[Two-factor_authentication_2FA|2FA]] TOTP codes change every 30 seconds, therefore the clock needs to be reasonably accurate.
}}
These steps are useful for any Offline VMs or computers.
{{q_project_name_long}} users note: Best using a Standalone Qubes since otherwise it is difficult to perform these steps in an App Qube. [
Patches welcome.
]
Since {{project_name_short}} uses [[Sdwdate|Secure Distributed Web Date (sdwdate)]], there will be a delay in the TOTP 30-second period. For example, if sdwdate has enforced a 22 second delay, then a TOTP code copied and pasted into a website or service that requires it would not work until the timer reached eight seconds or below. (This result was tested in an offline {{project_name_short}} standaloneVM in Qubes OS.)
To avoid delays, disable sdwdate and bootclockrandomization by running this command:
{{CodeSelect|code=
sudo service sdwdate stop && sudo service bootclockrandomization stop
}}
{{CodeSelect|code=
sudo systemctl disable sdwdate && sudo systemctl disable bootclockrandomization
}}
{{Box|text=
'''1.''' Set the timezone to UTC for simplicity.
{{CodeSelect|code=
sudo cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
}}
'''2.''' Confirm the correct time in UTC.
Navigate to [https://www.timeanddate.com/worldclock/timezone/utc timeanddate.com: UTC] or similar web resources to confirm the UTC time.
'''3.''' Fix the clock.
In the example below, change the date and time accordingly.
{{CodeSelect|code=
sudo date -s "12 SEPT 2021 01:15:25"
}}
'''4.''' Confirm the clock is now correct.
{{CodeSelect|code=
date
}}
}}
== KeePassXC Browser Extension ==
{{Community_Support|scope=chapter}}
It is possible to install the official KeePassXC browser plug-in for FireFox/Tor Browser. If utilized, this allows KeePassXC to store passwords and auto-type them into various websites and applications. This configuration is unrecommended because any software vulnerabilities might unintentionally expose sensitive passwords.
{{Box|text=
'''1.''' Install the KeePassXC browser add-on.
Navigate to [https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/ KeePassXC-Browser] and install the add-on.
'''2.''' ''Optional:'' Install a more recent version of keepassxc.
See: [https://backports.debian.org/Instructions/ Debian Backports: Instructions].
'''3.''' Create the following symlink to have a functional proxy.
{{CodeSelect|code=
cd ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/.mozilla
}}
{{CodeSelect|code=
ln -s /home/user/.mozilla/native-messaging-hosts native-messaging-hosts
}}
'''4.''' Create the .mozilla folder if it does not exist.
For further troubleshooting, refer to [https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide keepassxc-browser: Troubleshooting guide].
}}
= Libsecret Integration =
libsecret is a GNU/Linux library used to access the GNOME or KDE keyring,
including passwords, SSH keys, GPG certificates and more. Given that
KeePassXC stores similar data (passwords), libsecret integration offers benefits, and keepassxc can handle secrets from various Linux applications such as gajim, and even MSEdge!
= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}