For years I used KeePass to manage my ever-growing number of passwords. It works brilliantly, especially for a single user. Just stick the database on Dropbox, Google Drive, or use Syncthing, and voila, you can access your password database everywhere. Toss in something like Keepass2Android, and you have mobile access as well, all for free.
This setup worked fine for years. Indeed, I recommend it to anyone in a single-user situation. But what about a scenario wherein two (or more) people want to access/change the database simultaneously? If you're just using something like Dropbox to sync the database, then you will likely end up with file conflicts and lost data. Unacceptable.
Sure, there are solutions like LastPass, but I have an inherent mistrust of a closed-source, cloud-based password manager. Bitwarden is better since it's open source (and you can host the stack yourself), but since I'm already familiar with KeePass, I'm not ready to give up on that ecosystem yet.
KeePass Multi-User
I want a setup where both my wife and I can access our shared KeePass database simultaneously on multiple computers, plus on a couple of Android phones, with bonus points for having a self-hosted, password-protected web interface in case we have neither our own computers nor our phones with us. Basically, can we spin our own version of LastPass / Bitwarden, but using KeePass-related tools?
Yes, we can. The simplest way is to store the KeePass database on a networked computer (such as an sFTP server). Using the Open URL feature in KeePass -- or by mounting the network folder using sshfs (in Linux) -- numerous people can access/modify the database at any given time. There are plugins (such as SftpSync) for KeePass v2 that can help with this. The only problems here are:
- You have to run KeePass v2, which is fine on Windows, but less-elegant on Linux and macOS due to the dependency on mono. KeePassXC doesn't have plugins (yet?), so the syncing options are trickier.
- There's no web interface available. Boo!
WebDAV to the Rescue
Now here's a fine thing. We can fix those two sFTP-related problems by using WebDAV, so let's get going! I'm using Apache on CentOS for my web server, so if you want to use nginx, lighttpd, or whatever, you'll need to make adjustments accordingly.
You will first need to set up a new VirtualHost as well as HTTPS. Doing so is beyond the scope of this article, but you can start by searching for apache virtualhost setup, and then look up Let's Encrypt and certbot for free TLS certificates.
Once that's ready, it's time to set up HTTP authentication, since we don't want just anyone accessing our password database, do we? I'm storing my info in a file called .htpasswd, which is pretty common.
# chown root:apache /etc/httpd/.htpasswd
# chmod 640 /etc/httpd/.htpasswd
You'll want to change user-name in the above example to whatever username you want. And yes, it will prompt you to set whatever password you want, so try to remember it, eh?
Now you can add something like the following to your VirtualHosts file, so that whoever wants to access the site must first pass authentication. I'm calling mine KeeWeb below since that's what I plan to host in the root directory.
AuthType "Basic"
AuthName "KeeWeb"
AuthBasicProvider file
AuthUserFile "/etc/httpd/.htpasswd"
Require valid-user
</Location>
Get WebDAV running
There are plenty of guides on the interwebs on how to configure WebDAV. I'm using CentOS 7, which automatically loads the appropriate modules if you install Apache. On CentOS, you can check to see if the dav_fs module is loaded by running the following:
You should see something like the following:
dav_fs_module (shared)
dav_lock_module (shared)
If you are using a Debian-based distro and need to load the required modules, you can run the following:
# a2enmod dav_fs
Now that the Apache modules are loaded, let's make a folder that we want to access via WebDAV. Inside the publicly accessible directory for your site, let's make a folder called webdav and set the appropriate permissions.
# chown apache:apache webdav/
# chmod 700 webdav/
Now let's add the following to our VirtualHosts file to enable WebDAV access:
DAV On
AuthType "Basic"
AuthName "webdav"
</Location>
To add a lock to your accessed resources, you can also add the following to your VirtualHosts file, right above the <VirtualHost *:443> line:
Done! You can test your WebDAV setup in a number of ways. If you're on macOS, press Command+K and enter https://example.com/webav as the server. If you're on Linux, try entering webdavs://example.com/webdav into Dolphin, Nautilus, or whatever file manager you have. Try uploading your KeePass database to the WebDAV folder. Make sure you can both upload and delete files from that space. If you want to try using KeePass v2, you can go to Open URL and specify https://example.com/webdav/your-keepass-db.kdbx as the file, and you should have full read/write access.
The Kee to the Web
All this is well and good, but we still don't have our web interface (in case we don't have access to either our personal computer or a smartphone). That's easy to fix. KeeWeb to the rescue!
KeeWeb provides a web interface to our personal KeePass database. The official app is located at app.keeweb.info, but we can host it ourselves, so let's do it! I suggest installing it in a folder called keeweb on your domain. Double-check the link on this page (the download is currently called gh-pages.zip), in case it changes. Here we go:
# unzip gh-pages.zip
# mv keeweb-gh-pages keeweb
You can now visit your KeeWeb installation at https://example.com/keeweb/. However, its functionality is currently no different from app.keeweb.info. We want it to automatically find/load our database inside the WebDAV folder, so let's do that! KeeWeb supports loading its configuration settings from a JSON file, so we can call it config.json (or whatever you want). Make a config.json file in your site's root directory (outside the keeweb folder). Inside that file, add the following, at a minimum:
"settings": {},
"files": [{
"storage": "webdav",
"name": "Database Name",
"path": "/webdav/your-keepass-db.kdbx"
}]
}
There are plenty of configuration settings available (see the KeeWeb wiki), so here's an example of my config.json file with some added settings:
"settings": {
"theme": "wh",
"autoSave": true,
"IdleMinutes": 60,
"fontSize': 1
},
"files": [{
"storage": "webdav",
"name": "Database Name",
"path": "/webdav/your-keepass-db.kdbx"
}]
}
KeeWeb will now find the configuration file if you load the full URL (e.g. https://example.com/keeweb/?config=/config.json), but that's way too much to type on a regular basis. Instead, let's set a redirect, either in your VirtualHosts file or in a file called .htaccess in your web root.
Restart Apache:
Now you can browse to your site's root. Once you pass the HTTP authentication, you should see KeeWeb's interface, ready to manage the passwords in your specified database.
Let's Get to Syncing
Full sync ahead! On a personal computer, you can mount your WebDAV folder and load your database into KeePass (or KeePassXC, for that matter).
You can also load your database on an Android phone using Keepass2Android (use the WebDAV option, obviously). I don't have any iOS devices, so I can't offer much help here. It looks like KyPass 4 supports WebDAV. MiniKeePass is popular, but I don't know about WebDAV support.
And there we have it: our own personal LastPass running all open-source software, on our own server, and with no subscription fees. You (and other trusted users) can open (and edit!) the password database in multiple locations, simultaneously. You can use software like KeePassXC, mobile devices, and there's even a web interface available when you need it.
And what about security? Isn't this WebDAV setup less secure than just keeping the database in Dropbox? Well, probably. A nefarious character would have to first break through your HTTP authentication (you used a strong password, didn't you?) -- OR find a vulnerability in Apache. THEN that shady character would still have to break through the encryption on your KeePass database (you used a really strong password here, didn't you? And maybe a key file?).
Point is, you're still pretty darn secure. Add in the fact that whatever URL you chose for your WebDAV access is not likely to become much of a target for people attempting to break in (especially compared to LastPass!), and I wouldn't lose any sleep over it. You should also keep regular backups of your database, especially for offline usage.
Have fun!