KeepassXC database replication with Syncthing and KeeShare
Home Tags Me Frens RSS

KeepassXC database replication with Syncthing and KeeShare

#privacy

KeepassXC supports KeeShare databases, which work like a changelog file. Every change you make to your database is logged and can be merged by a KeepassXC instance running on another computer, you only need to keep this file in sync between computers.

Currently the main limitation is that KeeShare doesn’t understand group structures (KeepassXC folders). To circumvent this we will only share a special “Syncthing” group between machines, every time you want to send an entry to another machine you need to clone it into the “Syncthing” group and then manually organize it on the other machine.

Syncthing is a P2P file synchronization software with end to end encryption. It’s great!

Don’t worry if you got a bit lost, it will all make sense.

The entire process will take 3 steps:

  1. Configure Syncthing to share a folder between computers;
  2. (Optional) create a new KeepassXC database;
  3. Create a KeeShare file for the KeepassXC database;
  4. Copy the database file to all computers and keep the KeeShare in sync.

1. Configure Syncthing to share a folder between computers

Syncthing is probably available from your distro repos but they also have multiple download options. Whichever you choose there will likely be a daemon so it is always running. Install it on all machines involved.

Once running it will display a web interface on either localhost:8080 or localhost:8384. The default shared folder is ~/Sync, everything you copy to this folder will be copied to all machines sharing it. Now we need to do two things:

  1. Connect both devices;
  2. Configure versioning (important because in the case of a race condition Syncthing doesn’t know how to handle merge conflicts in KeeShare databases)

To connect two devices you need to share their IDs (a public key fingerprint used as an address in a DHT):

Copy machine’s A ID

Top right corner.

Add machine’s A ID to machine B

Enable versioning on both machines

2. Create a KeeShare file for the KeepassXC database

Configure KeepassXC to allow KeeShare imports and/or exports

Create the KeeShare file for the Syncthing group

Password for the KeeShare file

This password should be as strong as the password for your database, anyone who cracks your KeeShare file will see what entries you’ve been sending around. But when we copy the database file in step 3 this password will be taken with it, so feel free to generate a random and long password.

~/Sync is Syncthing’s default shared folder. example_db_changelog.kdbx is the KeeShare file we need to keep in sync.

3. Copy the database file to all computers

You can copy the database however you want, with a pen drive, scp or Syncthing but this is an one time copy. Do not leave the database file on Syncthing’s shared folder! You won’t have to keep it in sync with Syncthing, that’s what the KeeShare file is for.

Note that if we copy the database to another machine, it will still expect to find the KeeShare file under ~/Sync/example_db_changelog.kdbx, so make sure it’s there or change the path in the settings.

Conclusion

Now every time you add an entry to the Syncthing group it will be logged in ~/Sync/example_db_changelog.kdbx and propagated to the other computers. You then need to organize new entries manually.