Setup a KeePass password management solution for multiple computers

Scenario

The number of accounts and passwords that I use seems to be growing each year and has reached a point where I need to rely upon a password manager. This article describes how I implemented a KeePass password management solution that could be used from multiple computers.

Requirements and constraints

  • Implement a password management solution that can be used from multiple computers (and perhaps mobile devices).
  • The solution should not be cloud based. Call me paranoid but a cloud-based password management service just sounds like something that is too attractive for hackers. There are documented examples (e.g. LastPass) where these services have been successfully attacked.
  • The solution should not be a subscription-based commercial solution. Recently I have lost some time because I decided to change an anti-malware solution that contained a free password wallet. From a security perspective, I also liked the idea of an open-source solution.

Solution

I decided to use the KeePass password management. KeePass is a free, open source, light-weight and easy-to-use password manager. KeePass can be downloaded from the following site:

KeePass download site

KeePass utilises a password database. To allow access to the password database from multiple computers, the database needed to be stored in a central location such as a cloud-based storage provider (e.g. Google Drive). I believed that the risk of this solution being targeted by attackers is less than a password management cloud service holding password information for many people. The solution also complies with a defense-in-depth security strategy; cloud-based storage provides one layer of security and the password database also has its own layer of security.

In-built functionality within KeePass supports various forms of database synchronisation, but synchronisation with a cloud-based storage provider (such as Google Drive) requires a plugin. After evaluating a couple of solutions, I decided to utilise the KeeAnywhere plugin. The KeyAnywhere plugin can be downloaded from the following site:

KeyAnywhere plugin download site

The solution components that I used when writing this article were as follows:

  • KeePass 2.34
  • KeeAnywhere 1.3.0

Implementation overview

High level steps to implement the solution were as follows:

Step 1: Download and install KeePass and the KeeAnywhere plugin.

Step 2: Create a local KeePass password database then copy it to Google Drive using a web browser.

Note: Step 2 only needs to be performed once on the first computer on which you install KeyPass.

Step 3: Enter Google account credentials and authorise the KeeAnywhere plugin to access Google Drive.

Step 4: Open the database from Google Drive.

Step 5: Repeat steps 1, 3 and 4 to install and configure KeePass on all remaining computers.

Implementation Details

Step 1: Download and install KeePass and the KeeAnywhere plugin.

a. Download the KeePass installer (KeePass-2.34-Setup.exe) from KeePass download site

b. Download the KeeAnywhere plugin (KeeAnywhere-1.3.0.plgx) from KeeAnywhere plugin download site

c. Install KeePass using default options for everything. In a UAC environment you may be prompted for administrator credentials.

d. Copy the KeeAnywhere plugin file (KeeAnywhere-1.3.0.plgx) to the Plugins folder that is located in the KeePass installation folder (C:\Program Files (x86)\KeePass Password Safe 2\Plugins)

Step 2: Create a local password database then copy it to Google Drive using a web browser.

Note: Step 2 only needs to be performed once on the first computer on which you install KeyPass.

a. Run KeePass then select File –> New…

b. Enter the name of your new password database (e.g. PasswordDatabase.kdbx) and click on Save

c. Create a composite master key to protect your password database. In my case, I chose a complex master password.

d. (optional) Change any of the database settings. For example, enter a database description.

e. Save the database

f. Close KeePass, then copy the password database to a folder on your Google Drive using a web browser. In my case, I placed the database in a folder titled KeePass.

g. Delete the local password database file as it is no longer needed.

Step 3: Enter Google account credentials and authorise the KeeAnywhere plugin to access Google Drive.

a. Run KeePass then select Tools –> KeeAnywhere Settings… –> Add… –> Google Drive

b. Enter the credentials to access your Google Drive

c. Authorise KeeAnywhere to view and manage files in your Google Drive

01-authorise-keeanywhere-for-google-drive

Step 4: Open the database from Google Drive.

a. Run KeePass then select File –> Open –> Open from Cloud Drive…

b. Select your password database

02-open-the-password-database-from-google-drive

Step 5: Repeat steps 1, 3 and 4 to install and configure KeePass on all remaining computers.

To install and configure KeePass on remaining computers just follow steps 1, 3 and 4.

Final Thoughts

After following the above steps, you will end up with a distributed multi-master password management solution. This means that you can make changes from any computer and they will be synched to remaining computers. I do however suggest that you try to keep only one KeePass application open at a time. This will ensure that you don’t overwrite password database changes made from one computer with changes made on a different computer.

So far I’ve been using this solution for a few days and it seems to be working quite well for me. The only additional feature I want so far is some type of offline access. This should be easy to implement by configuring a database backup solution on the computers that need offline access. I recommend that you don’t make changes to this offline file (that is, wait until you can access the online password database before making changes).

 

1 Comment

  1. Marcin

    Very good tool. It improves the security of our passwords.

    Reply

Leave a Reply to Marcin Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.