My Keepass2 setup with Android, Firefox and sync


A couple of weeks ago I read another article about a major security breach of a big online service and finally decided that I need a special password for every service I’m using. Up until then, I always used about 6 passwords for online stuff. More important sites got one of the better passwords, irrelevant sites one of the poor ones, but a lot of sites shared passwords. Since I try to use only three user names (private, gaming and work) if they are available, it wouldn’t have been too hard to try my password they stole from service X on service Y with not a bad chance of success.

It’s not my first try to use a central application for my passwords, but all failed because of trust or usability. I want to be able to use this on all my computers, on my mobile and on the go, so I needed a synced solution. There are a few around, but I don’t trust this kind of data hosted on a server thats not mine. So this is the first solution that was comfortable to use and secure for my needs. All the tools here are open source, which doesn’t makes them secure, but we can hope there are people checking them out. 🙂

I’ll show mostly my setup, all the tools described here are heavily customizable, so check all the options after the initial setup to adapt them exactly to your needs. But this will hopefully get you started.


First we need to install KeePass2. There are versions for the major operating systems on their website, I tried Linux (used the packages shipped with Ubuntu) and Windows.

Create a new database
Create a new database

Now that we installed KeePass, we’ll first need to create a new database. After selecting where to save it, we’ll have to put in a master password. Obviously, this should be one of the better kind. I didn’t check out the possibilities of a key file or testing the existence of a USB drive, since it would be a problem for portability of the solution.

(src xkcd, CC BY-NC 2.5)
(src xkcd, CC BY-NC 2.5)

After putting in the password, it was asking for a few settings. Since I was fine with the standards, the KeePass file was created with a few sample entries. We can delete the samples and save it now.

Create a new password, e.g. 32 characters long.
Create a new password, e.g. 32 characters long.

To try it out, we could generate a new password (Tools -> Generate Password). I prefer to use A{32} as a pattern, which creates 32 lower and upper case letters and numbers. (I guess that is security wise dumb to tell, so I might change it in the future. ;)) It’ll create a blank entry in the database with a random password. If you edit it, you can add at a user name, but also URL (later useful for Firefox integration), custom notes, an icon and a lot of other fields.

Update: I changed that to use special characters as well.

If we want to login now, we can select the entry and press Ctrl-C to copy the password into the clipboard for a few seconds. If you want to copy the user name, use Ctrl-B and Ctrl-U will open the saved URL for you.

KeeFox: Firefox Integration

To make this far more comfortable to use, we should integrate this into our browser. Since I use Firefox at the moment, I used KeeFox for that, but there are supposed to be plugins for other browsers as well. KeeFox can fill out your forms automatically and save new passwords directly into KeePass, just like the internal Firefox password manager did. Running Windows, this is a breeze. Install KeeFox from Mozillas Addon Page, restart Firefox and follow the instructions. It’ll copy the KeeFox plugin into your KeePass directory. After restarting KeePass and maybe Firefox as well, you’ll get a connection window asking you to for a code and another one showing it to you. (Just to make sure that nothing connects without your consent.)

Linux users have a slightly harder time. On Ubuntu, you’ll need to install mono-complete for KeeFox to work, other distributions will have similar meta packages for a complete mono installation. (If anybody knows exactly the packets necessary, I would appreciate a comment, all the howtos simply install mono-complete.) The installation is covered in pictures very well on, so I will not write it down here again. 🙂

KeeFox asks if I want to save the password in my KeePass database
KeeFox asks if I want to save the password in my KeePass database

Now that we should be connected, we could try out logging in somewhere and saving the password. I’ll login to my blog backend and on the top of the screen KeeFox asks me if I want to save the password.

Editing an entry created from KeeFox
Editing an entry created from KeeFox

If we save, the entry appears in KeePass with the favicon of the page (my blog doesn’t have one) and title, user name, password and URL already filled. Sometimes it makes sense to change the URL or title, but mostly you are good to go and don’t need to edit anything. If you log out and open the login dialog again, the fields will be filled out and you only need to click the login button.

Sync with OwnCloud/Nextcloud

After the first two parts, we should have a comfortable setup for one computer. But most of us have more than one computer and want to use passwords all across them. Since I already use ownCloud (or rather now Nextcloud), I wanted to save the password database there. The server is administrated by myself, so I’m pretty sure that only I can access the data there. (Barring big security holes in PHP, bash, SSL, …) If you want to install it as well, you can follow the official documentation, but keep in mind that you’ll have to take care of security of the installation as well. In case you want to do this with Dropbox, you’ll have to trust them enough (whyever) and it should work just the same, I guess.

Password database in ownCloud
Password database in ownCloud

If you copy the password file anywhere in your local ownCloud (client) directory, the client will automatically sync it to the server. Now open the database file again from the ownCloud directory, every change you’ll make will be synced again. But since my password database is only about 50kb (I’m still migrating sites to the new password whenever I log in and have a minute), it’s no problem with nearly all internet connections.

When you now setup KeePass and KeeFox on a second computer (with ownCloud installed of course), you can open the database file from the local ownCloud directory and always get a current version of the database. I set up KeePass so that it closes the database after certain time of inactivity, so I never expect two KeePass instances adding new entries at the same time. But if you work with two computers side by side, make sure to save the database after adding a new entry and reopening it on the second computer before making any changes.

Update: I switched to nextcloud, but that doesn’t change the process here at all. But I discovered there is an app for nextcloud to open your Keepass database in the browser, Keeweb for nextcloud. Download the latest release and install it like any other nextcloud app. Then you can access your passwords easier, even when you aren’t at your own computer. Obviously you should only do that on trustworthy computers.

Keepass2Android: Android App

Now we should have a Firefox integrated password save, that is synced between our computers. Today smartphones are also used to connect to lots of services, each needing its own password. I for example need my Amazon password from time to time, to buy something while sitting in public transport. Instead of typing it in with people looking over my shoulder, I copy and paste it out of my password database now.

To do so, we can use Keepass2Android. Since the Android ownCloud client didn’t work well for me for keeping files local and updated, we connect directly via WebDAV to our ownCloud installation. Choose to open a password database:

Open a database on Keepass2Android
Open a database on Keepass2Android

There are a lot of services to connect to, but to connect to the ownCloud instance, we should use HTTPS and add the following (adapted) URL:

Login with optional quick unlock feature
Login with optional quick unlock feature

Put in username and password of your ownCloud installation, and then the password for your database and you should be good to go. You can activate quick unlock, which doesn’t lock the database completely, but you only need to input the last three characters of the password to access it until you close the database manually. (At latest at a reboot.) If you don’t mind the reduced security, its a nifty feature.

The KeePass groups in the Android app
The KeePass groups in the Android app

After login you’ll get a list of all your passwords and groups. If we choose the amazon password entry, Keepass2Android will show two new entries in Androids notification area (next to the one that is already there because the database is open):

The username and password can be put into the clipboard from the notification screen
The username and password can be put into the clipboard from the notification screen

Those entries enable you to switch to your browser, pull down notifications, copy the password (or username) directly from the notification area and paste them in the website. There is a risk according to Keepass2Android that other apps might copy data from your clipboard, so the alternative is to use a special Keepass2Android keyboard instead the copy and paste solution. Whatever you decide.

Update: I switched to the integrated keyboard Keepass2Android provides. Whenever I open an entry, a dialog pops up that lets me switch the keyboard to a special keyboard that lets me access username and password with one button each. After closing the database, the keyboard switches back to my default one.


I hope that we have a comfortable synced password solution now, that we can access from our Android mobile as well. My last fear now was, what happens if the database gets deleted or corrupted in some way? In theory there is an ownCloud feature to keep old versions of a file around. But I don’t trust that. I want to have a backup with more than one version simply in my computers (or home servers) filesystem.

If you use windows (or don’t want to use self written scripts on Linux), I recently stumbled over Duplicati, an open source GUI backup tool, that also supports WebDAV. I’m sure it wouldn’t be hard to setup a backup job to save a copy of the password file from the ownCloud (WebDAV) server.

But I didn’t try it yet and I prefer this simple solution I can easily completely understand. I created a very short script using cadaver (a command line WebDAV client.) Create a directory, e.g. ~/.pwdatabase where you want the file saved and adapt the following script to your needs, I called it ~/bin/


cd ~/.pwdatabase-backup
rm pw.kdbx
echo "get pw.kdbx" | cadaver
mv pw.kdbx pw.kdbx-`date +%Y-%m-%d_%H%M%S`

After that we still need to save our ownCloud access data in a file ~/.netrc: (If you are more paranoid than I am, create a dedicated user just for the backup task.)

login foo
password bar

Make sure to make the script executable and the .netrc as well as the backup directory only accessible by you:

lenfers@waxford:~$ chmod +x ~/bin/
lenfers@waxford:~$ chmod 600 ~/.netrc
lenfers@waxford:~$ chmod 700 ~/.pwdatabase-backup/

Last but not least, add a cronjob to run this script. This will run now every hour at the 42nd minute. Run ‚crontab -e‘ and put the following line in the editor that opens now:

42 * * * * /home/lenfers/bin/

You’ll now get files in your backup directory named like pw.kdbx-2014-10-12_193002 every hour. If you want the script to run at different intervals, check out a cron howto.

Conclusion, Security opinion and Todo

We should have installed and used the following software by now:

You should now have the possibility to create a password per webpage and sync it between different computers and mobile phones. If you haven’t done so, I would recommend to change a few passwords from sites that are important to you into long automatically generated ones. The password file should be in a lot of places, just in case it gets corrupted (which didn’t happen to me, I’m just cautious.)

I’m by far no security expert, but I want to provide you with my view on how secure this setup is. It shouldn’t be good enough for missile launch codes (but might be) or if you are in a position where you might be targeted directly (instead if being one among many victims of a site hack.) If someone were to breaks into your cloud account, they would only need to break your KeePass password offline and got access to all your accounts! Since I don’t expect to be targeted directly (shouldn’t have said that, should I? :-)) this will immensely increase security for me, because the damage resulting from big hacks on websites won’t affect me anymore outside of the hacked site. Also brute force attacks on my online accounts should be far harder now. Last but now least, I use two factor authentication as much as possible.

Update: Keeweb added in the cloud section. In the future I want to look into integrating a web interface into ownCloud (maybe based on WebKeePass?) so I could access my passwords easier from a friends computer without having to copy them manually from my mobiles screen, but I’m not sure when I’ll find time for that. If anybody has a working solution or good hints on how to do that easily, I would appreciate a pointer.

I hope this helped you to switch from a small array of simple to medium passwords to a system of one secure password per site. Any feedback is appreciated!

What do you think of this post?
  • Awesome (29)
  • Interesting (28)
  • Useful (26)
  • Sucks (9)
  • Boring (7)