I choose keepassXC stored locally
this post was submitted on 28 Sep 2023
73 points (98.7% liked)
Selfhosted
40246 readers
1066 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| Git | Popular version control system, primarily for code |
| IP | Internet Protocol |
| NAS | Network-Attached Storage |
| SSH | Secure Shell for remote terminal access |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
7 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.
[Thread #173 for this sub, first seen 28th Sep 2023, 18:45] [FAQ] [Full list] [Contact] [Source code]
I've been using option 1 for many many years. It lets me keep control of the encryption, and it's accessible just about anywhere.
Option 1, with manual copying to mobile. I tried syncthing in the past but had problems with corrupted files
Why not Keepass on a webdav server? Both Keepass on the computer and Keepass2Android can open the file directly. If you save it on one it will merge the changes in any other copies you have open.
I do 3 and have encrypted backups to Dropbox so I can easy restore/spin up a cloud server if I need to
Yep but use Microsoft.
Been using option 3 but with Bitwarden for almost 5 years at this point. First started out on a VM in a cloud provider. Now it's in a VM on unraid behind a local HAProxy or Cloudflare tunnel for remote access.
Bitwardens full docker stack provides great daily backups which I've had to restore on occasion or go back to one from months ago to dig out a password for my wife.
Been testing and hoping to move to the unified-container from them soon, assuming I can replicate encrypted backups like their solution.
I switched to proton pass after using bitwarden for a couple years
Option 1, except for the cloud bit. My KeePass file is stored in a restricted shared folder on my home file server, and auto-syncs to my phone on the rare occasion I update it from my desktop.
I like LessPass, essentially you choose one password and then it generates secure passwords for each website, since it uses a predefined generation algorithm it's completely offline and doesn't need syncing it's very secure. However it has the inconvenience of needing to remember the way you spelled the website, but if you stick to something like all lowercase it's fine.
Having gone through all of these options I have thoughts.
Option 1 sounds awesome but will almost always leave you in a situation where you can’t get your logins when you need them in an emergency. You’re always depending on a chain of things. Depending on your situation it may not be a big deal. But this option sucks, imho.
Option 3 sounds amazing because it gives you the control of option 1 with the ease of option 2. But… unless you’re the kind of person that enjoys hosting their own email server you really don’t want this option. Fun in theory but not so much when you realize you now have a 3rd job.
So that leaves option 2. It’s great but you’re depending on someone else. This is the option that most people should choose too, imo. However it lacks some of control and trust that option 1 and 3 have.
Sooooo, that leaves us with option 4, the onion option. Breaking up your data into layers and using different tools for them.
So first and foremost I want my password storage to always be available. For me that means Bitwarden, (though I’m evaluating protonpass currently.) this is the outer layer. Things that can and should be stored here are stored here. I use it to manage web logins and 2FA tokens for those sites. I also use it for storing autofill data eg credit cards. I don’t use it to hold things like my gpg keys.
Next layer is pass. This layer is mostly things that I need to have logins or other information on headless/remote servers. Think self hosted lab services like a mariadb/postgres or backups. This is easily kept in sync with git. This is the layer where I’ll store things like gpg keys and other VERY sensitive data that I need to sync around.
For other things on this layer I use ansible vault. This is mostly used for anything where I need automation and/or I don’t want too or can’t easily use my yubikey for gpg. This is kept in sync with git as well.
Lastly the inner layer I use AGE or PGP. This is for anything else I can’t use the above for. So my Bitwarden export/backups are in this level too. I also use this layer for things that I need to use to bootstrap a system. Think sensitive dotfiles. This can be kept in sync with git as well.
Git is the best sync solution imo because you can store it anywhere and use anything to sync that repo. Just throw that raw repo on Dropbox, use ssh with it on a vps, rsync it, etc. you’ll always have it somewhere and on something.
My work flow goes like this Bitwarden -> Apple/Google/Firefox -> Pass -> Ansible -> AGE/PGP
This allows for syncing things as needed and how needed. It also gives you the option of having an encrypted text file if/when everything fails.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn't really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.
load more comments
(3 replies)
I like Enpass. $25 lifetime sub via Stack social. Does the trick. If they ever pull the rug out on lifetime folks, I would go to Bitwarden.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn't end up using it for anything
It's not open source, so that's an easy deal breaker for some. Considering the vaults are encrypted and Enpass itself stores nothing on their servers, I've been okay with it. The vaults just exist on my phone and wherever I've chosen to back it up (OneDrive, GDrive, Nextcloud, NAS, etc).
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can't easily hold my data hostage.
I did option 1 for a number of years but now I'm doing option 3 off a proxmox container and some cloud scripted backup. So far so good.
We just started doing option 3 at work and just keep it behind the firewall. It is going well so far.
I'm currently using KeePassXC. The setup that I created below gives me 3-backups of my passwords, but it's a bit to manage.
Computer
On my computer, I have my keepassxc database and key file stored in a veracrypt container. Next to my computer, I have a piece of paper that has the password for my keepassxc database and the password for my veracrypt container.
computer -> veracrypt container -> keepassxc database AND keepassxc key file
paper -> keepassxc database pw AND veracrypt pw
KeePassXC Export File (text file that contains all of my login information)
I store this file inside of a veracrypt container, on my USB LUKS. Next to my USB LUKS, I have a piece of paper that has the associated veracrypt password.
usb luks -> veracrypt container -> keepassxc export file
paper -> veracrypt pw
Cloud
I store my database in cloud service a.
I store my key file in a veracrypt container, in cloud service b.
On a piece of paper, I have the login information to both of these cloud accounts and the password for the veracrypt container.
Apple keychain. Supposedly secure, extremely convenient, may be in the Cloud but not centralized - can’t lose everyone’s credentials at once.
The plug-in for Windows works pretty well too, although I wonder if that puts my confidential data at more risk
For highest security don't store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked
load more comments
(4 replies)
Option 2, because once you start thinking about the ways your stuff could be stolen ("threat modelling") you'll see that realistically it's the easiest option.
I'd never store my passwords in the cloud.
I keep my passwords in Google. Unencrypted of course