Scenario
The number of accounts and passwords that I use seems to be growing each year and has reached a point where I need to rely upon a password manager. This article describes how I implemented a KeePass password management solution that could be used from multiple computers.
Requirements and constraints
- Implement a password management solution that can be used from multiple computers (and perhaps mobile devices).
- The solution should not be cloud based. Call me paranoid but a cloud-based password management service just sounds like something that is too attractive for hackers. There are documented examples (e.g. LastPass) where these services have been successfully attacked.
- The solution should not be a subscription-based commercial solution. Recently I have lost some time because I decided to change an anti-malware solution that contained a free password wallet. From a security perspective, I also liked the idea of an open-source solution.
Solution
I decided to use the KeePass password management. KeePass is a free, open source, light-weight and easy-to-use password manager. KeePass can be downloaded from the following site:
KeePass utilises a password database. To allow access to the password database from multiple computers, the database needed to be stored in a central location such as a cloud-based storage provider (e.g. Google Drive). I believed that the risk of this solution being targeted by attackers is less than a password management cloud service holding password information for many people. The solution also complies with a defense-in-depth security strategy; cloud-based storage provides one layer of security and the password database also has its own layer of security.
In-built functionality within KeePass supports various forms of database synchronisation, but synchronisation with a cloud-based storage provider (such as Google Drive) requires a plugin. After evaluating a couple of solutions, I decided to utilise the KeeAnywhere plugin. The KeyAnywhere plugin can be downloaded from the following site:
KeyAnywhere plugin download site
The solution components that I used when writing this article were as follows:
- KeePass 2.34
- KeeAnywhere 1.3.0
Implementation overview
High level steps to implement the solution were as follows:
Step 1: Download and install KeePass and the KeeAnywhere plugin.
Step 2: Create a local KeePass password database then copy it to Google Drive using a web browser.
Note: Step 2 only needs to be performed once on the first computer on which you install KeyPass.
Step 3: Enter Google account credentials and authorise the KeeAnywhere plugin to access Google Drive.
Step 4: Open the database from Google Drive.
Step 5: Repeat steps 1, 3 and 4 to install and configure KeePass on all remaining computers.
Implementation Details
Step 1: Download and install KeePass and the KeeAnywhere plugin.
a. Download the KeePass installer (KeePass-2.34-Setup.exe) from KeePass download site
b. Download the KeeAnywhere plugin (KeeAnywhere-1.3.0.plgx) from KeeAnywhere plugin download site
c. Install KeePass using default options for everything. In a UAC environment you may be prompted for administrator credentials.
d. Copy the KeeAnywhere plugin file (KeeAnywhere-1.3.0.plgx) to the Plugins folder that is located in the KeePass installation folder (C:\Program Files (x86)\KeePass Password Safe 2\Plugins)
Step 2: Create a local password database then copy it to Google Drive using a web browser.
Note: Step 2 only needs to be performed once on the first computer on which you install KeyPass.
a. Run KeePass then select File –> New…
b. Enter the name of your new password database (e.g. PasswordDatabase.kdbx) and click on Save
c. Create a composite master key to protect your password database. In my case, I chose a complex master password.
d. (optional) Change any of the database settings. For example, enter a database description.
e. Save the database
f. Close KeePass, then copy the password database to a folder on your Google Drive using a web browser. In my case, I placed the database in a folder titled KeePass.
g. Delete the local password database file as it is no longer needed.
Step 3: Enter Google account credentials and authorise the KeeAnywhere plugin to access Google Drive.
a. Run KeePass then select Tools –> KeeAnywhere Settings… –> Add… –> Google Drive
b. Enter the credentials to access your Google Drive
c. Authorise KeeAnywhere to view and manage files in your Google Drive
Step 4: Open the database from Google Drive.
a. Run KeePass then select File –> Open –> Open from Cloud Drive…
b. Select your password database
Step 5: Repeat steps 1, 3 and 4 to install and configure KeePass on all remaining computers.
To install and configure KeePass on remaining computers just follow steps 1, 3 and 4.
Final Thoughts
After following the above steps, you will end up with a distributed multi-master password management solution. This means that you can make changes from any computer and they will be synched to remaining computers. I do however suggest that you try to keep only one KeePass application open at a time. This will ensure that you don’t overwrite password database changes made from one computer with changes made on a different computer.
So far I’ve been using this solution for a few days and it seems to be working quite well for me. The only additional feature I want so far is some type of offline access. This should be easy to implement by configuring a database backup solution on the computers that need offline access. I recommend that you don’t make changes to this offline file (that is, wait until you can access the online password database before making changes).
Very good tool. It improves the security of our passwords.