Productivity Sauce
KeePass is one of the best password managers out there, but let's face it: the KeePass 2.x application written in Mono installs a huge number of dependencies and it looks anything but sleek on the Linux desktop. Enter KeeWeb, a lightweight desktop and web app that can handle .kdbx databases and features a polished user-friendly interface.
KeeWeb is a free open-source cross-platform password manager with a desktop app for Windows, macOS, and Linux as well as a web app that works on all the browsers. It's a simple tool that can be customized by the users be it the themes, color code the items to categorize in different color tabs, add tags to arrange the items or create shortcuts. In this guide, we are going to look at the installation of KeeWeb password manager on Linux Mint 20. If you prefer to use KeeWeb online, simply use the url. You should see a page as below where you can simply add the records you need.
To run KeeWeb on a Linux desktop, grab the latest version of the app from the project's Releases page, unpack the downloaded archive, and run the KeeWeb executable binary. Open then the local .kdbx database, of link KeeWeb to Dropbox to work with databases stored on Dropbox. Instead of running KeeWeb locally, you can deploy it as a web app. To do this clone the project's GitHub repository to the document root of your server and switch to the gh-pages branch:
KeeWeb puts all essential tool and features at your fingertips. You can open an existing .kdbx database or create a new one from scratch. The app conveniently remembers the recently used databases, you don't need to select them manually. It's possible to organize entries into groups as well as specify tags, colors, expiration, and custom fields for each entry. KeeWeb also supports keyboard shortcuts, and there are a handful of settings you can adjust to your liking. In short, if the official KeePass application is not your cup of tea, KeeWeb offers a lightweight and sleek alternative.
Keeweb Ios App
Host Your Own Multi-User Password Manager with KeeWeb and WebDAV
Keeweb App
Published on Jan 24, 2019
For years I used KeePass to manage my ever-growing number of passwords. It works brilliantly, especially for a single user. Just stick the database on Dropbox, Google Drive, or use Syncthing, and voila, you can access your password database everywhere. Toss in something like Keepass2Android, and you have mobile access as well, all for free.
This setup worked fine for years. Indeed, I recommend it to anyone in a single-user situation. But what about a scenario wherein two (or more) people want to access/change the database simultaneously? If you're just using something like Dropbox to sync the database, then you will likely end up with file conflicts and lost data. Unacceptable.
Sure, there are solutions like LastPass, but I have an inherent mistrust of a closed-source, cloud-based password manager. Bitwarden is better since it's open source (and you can host the stack yourself), but since I'm already familiar with KeePass, I'm not ready to give up on that ecosystem yet.
KeePass Multi-User
I want a setup where both my wife and I can access our shared KeePass database simultaneously on multiple computers, plus on a couple of Android phones, with bonus points for having a self-hosted, password-protected web interface in case we have neither our own computers nor our phones with us. Basically, can we spin our own version of LastPass / Bitwarden, but using KeePass-related tools?
Yes, we can. The simplest way is to store the KeePass database on a networked computer (such as an sFTP server). Using the Open URL feature in KeePass -- or by mounting the network folder using sshfs (in Linux) -- numerous people can access/modify the database at any given time. There are plugins (such as SftpSync) for KeePass v2 that can help with this. The only problems here are:
- You have to run KeePass v2, which is fine on Windows, but less-elegant on Linux and macOS due to the dependency on mono. KeePassXC doesn't have plugins (yet?), so the syncing options are trickier.
- There's no web interface available. Boo!
WebDAV to the Rescue
Now here's a fine thing. We can fix those two sFTP-related problems by using WebDAV, so let's get going! I'm using Apache on CentOS for my web server, so if you want to use nginx, lighttpd, or whatever, you'll need to make adjustments accordingly.
You will first need to set up a new VirtualHost as well as HTTPS. Doing so is beyond the scope of this article, but you can start by searching for apache virtualhost setup, and then look up Let's Encrypt and certbot for free TLS certificates.
Once that's ready, it's time to set up HTTP authentication, since we don't want just anyone accessing our password database, do we? I'm storing my info in a file called .htpasswd, which is pretty common.
# chown root:apache /etc/httpd/.htpasswd
# chmod 640 /etc/httpd/.htpasswd
You'll want to change user-name in the above example to whatever username you want. And yes, it will prompt you to set whatever password you want, so try to remember it, eh?
Now you can add something like the following to your VirtualHosts file, so that whoever wants to access the site must first pass authentication. I'm calling mine KeeWeb below since that's what I plan to host in the root directory.
AuthType 'Basic'
AuthName 'KeeWeb'
AuthBasicProvider file
AuthUserFile '/etc/httpd/.htpasswd'
Require valid-user
Get WebDAV running
There are plenty of guides on the interwebs on how to configure WebDAV. I'm using CentOS 7, which automatically loads the appropriate modules if you install Apache. On CentOS, you can check to see if the dav_fs module is loaded by running the following:
You should see something like the following:
dav_fs_module (shared)
dav_lock_module (shared)
If you are using a Debian-based distro and need to load the required modules, you can run the following:
Now that the Apache modules are loaded, let's make a folder that we want to access via WebDAV. Inside the publicly accessible directory for your site, let's make a folder called webdav and set the appropriate permissions.
# chown apache:apache webdav/
# chmod 700 webdav/
Keeweb Error Loading App
Now let's add the following to our VirtualHosts file to enable WebDAV access:
DAV On
AuthType 'Basic'
AuthName 'webdav'
To add a lock to your accessed resources, you can also add the following to your VirtualHosts file, right above the line:
Done! You can test your WebDAV setup in a number of ways. If you're on macOS, press Command+K and enter https://example.com/webav as the server. If you're on Linux, try entering webdavs://example.com/webdav into Dolphin, Nautilus, or whatever file manager you have. Try uploading your KeePass database to the WebDAV folder. Make sure you can both upload and delete files from that space. If you want to try using KeePass v2, you can go to Open URL and specify https://example.com/webdav/your-keepass-db.kdbx as the file, and you should have full read/write access.
The Kee to the Web
All this is well and good, but we still don't have our web interface (in case we don't have access to either our personal computer or a smartphone). That's easy to fix. KeeWeb to the rescue!
KeeWeb provides a web interface to our personal KeePass database. The official app is located at app.keeweb.info, but we can host it ourselves, so let's do it! I suggest installing it in a folder called keeweb on your domain. Double-check the link on this page (the download is currently called gh-pages.zip), in case it changes. Here we go:
# unzip gh-pages.zip
# mv keeweb-gh-pages keeweb
You can now visit your KeeWeb installation at https://example.com/keeweb/. However, its functionality is currently no different from app.keeweb.info. We want it to automatically find/load our database inside the WebDAV folder, so let's do that! KeeWeb supports loading its configuration settings from a JSON file, so we can call it config.json (or whatever you want). Make a config.json file in your site's root directory (outside the keeweb folder). Inside that file, add the following, at a minimum:
'settings': {},
'files': [{
'storage': 'webdav',
'name': 'Database Name',
'path': '/webdav/your-keepass-db.kdbx'
}]
}
There are plenty of configuration settings available (see the KeeWeb wiki), so here's an example of my config.json file with some added settings:
'settings': {
'theme': 'wh',
'autoSave': true,
'IdleMinutes': 60,
'fontSize': 1
},
'files': [{
'storage': 'webdav',
'name': 'Database Name',
'path': '/webdav/your-keepass-db.kdbx'
}]
}
KeeWeb will now find the configuration file if you load the full URL (e.g. https://example.com/keeweb/?config=/config.json), but that's way too much to type on a regular basis. Instead, let's set a redirect, either in your VirtualHosts file or in a file called .htaccess in your web root.
Restart Apache:
Now you can browse to your site's root. Once you pass the HTTP authentication, you should see KeeWeb's interface, ready to manage the passwords in your specified database.
Let's Get to Syncing
Full sync ahead! On a personal computer, you can mount your WebDAV folder and load your database into KeePass (or KeePassXC, for that matter).
You can also load your database on an Android phone using Keepass2Android (use the WebDAV option, obviously). I don't have any iOS devices, so I can't offer much help here. It looks like KyPass 4 supports WebDAV. MiniKeePass is popular, but I don't know about WebDAV support.
And there we have it: our own personal LastPass running all open-source software, on our own server, and with no subscription fees. You (and other trusted users) can open (and edit!) the password database in multiple locations, simultaneously. You can use software like KeePassXC, mobile devices, and there's even a web interface available when you need it.
And what about security? Isn't this WebDAV setup less secure than just keeping the database in Dropbox? Well, probably. A nefarious character would have to first break through your HTTP authentication (you used a strong password, didn't you?) -- OR find a vulnerability in Apache. THEN that shady character would still have to break through the encryption on your KeePass database (you used a really strong password here, didn't you? And maybe a key file?).
Keeweb Internal App Storage
Point is, you're still pretty darn secure. Add in the fact that whatever URL you chose for your WebDAV access is not likely to become much of a target for people attempting to break in (especially compared to LastPass!), and I wouldn't lose any sleep over it. You should also keep regular backups of your database, especially for offline usage.
Have fun!