What's the usage flow? Is there browser extension that allows you to interact with it without opening Keepass program?
Maintenance you described is easy, but what about the actual usage and sharing passwords?
I don't share my passwords database. Right now my wife and I do have a very limited number of shared accounts but I set up the same system for her and we simply duplicate the few shared logins we have in our two databases. This could be an issue if we need to share more.
Creating new accounts is easy. Both my windows and iOS Keepass clients open the file directly from cloud storage. They can save changes and reload the database on startup. Once in a while I've had conflicting writes but it's rare, and I stopped getting them when I got better about saving and closing after changes.
Usage flow on PC (I'm sure I could install a browser extension, but haven't bothered yet):
1. oh I need a password. windows+s, type keepass, open keepass, type master password.
2. ctrl+e look for the website I'm on
3. ctrl+b copy username, paste
4. ctrl+c copy password, paste
Usage flow on iOS:
1. oh I need a password. iOS magically knows, gives me options of iCloud keychain or Keepass client. Select Keepass client
2. Sometimes it's not smart enough to detect which password entry to use. In this case, type in the website/app name and select it
3. Usually it's smart enough to fill out the username & password fields automatically
This has worked great for us for a number of years.
Storing new accounts syncs just like everything else.
> Is there browser extension that allows you to interact with it without opening Keepass program?
I sure hope not.
On the other hand, docker containers on a RPi Zero? What a sad state of affairs we have in 2022.
Sincere question - AFAIK, Raspberry PI OS is a Linux distribution like any other, with dependency/distribution issues like any other. Why would using Docker on it be a sad state of affairs, in contrast to using it on any other distribution?
I am not a fan of this kind of redundancy and opaqueness.
One thing I would add: a self-signed certificate is not adequate for password transmission. In some ways, it's even worse than transmitting over clear-text http because it provides an illusion of security.
Any actor on your network can man-in-the-middle, provide their own certificate, and you'd be none the wiser.
I'd suggest provisioning LetsEncrypt leaf-node certificate on a node that can respond to HTTP-01 or DNS-01 challenges (don't open your home network to :80 :443 - use a VM in the Cloud to respond to challenges), then transfer the certificate to the Raspberry Pi. https://letsencrypt.org/docs/challenge-types/
The hassle of forwarding the ports for their verification and having to do it so regularly (3 months) is a real pita.
I used to just pay for yearly certs for this reason but prices have gone up so now I'm back to using self signed. I'd love to set up my own PKI but the tool chain is so complex and many OSes like Android allow apps to opt out of user -added root certificates which makes it very hard to deal with.
You never need to expose a webserver to the public internet to use letsencrypt to get a valid SSL certificate, even if IP is in the private RFC range (192.168.x.x, 10.x.x.x, etc etc).
Every single webapp I run internally has a two line automated Caddy/letsencrypt auto configuration, that just works.
To suggest it is way too difficult suggests you haven't tried recently, or are familiar with very old http-based DNS authentication challenges. You do not need to use http-based challenges to use letsencrypt for a long time, although still supported.
> https://caddyserver.com/docs/automatic-https
> https://caddy.community/t/how-to-use-dns-provider-modules-in...
No port forwarding required, ever.
This feature also exists in plain ole letsencypt, their "dns-01" challenge support:
https://letsencrypt.org/docs/challenge-types/#dns-01-challen...
The list of DNS providers who support this is massive now too:
https://community.letsencrypt.org/t/dns-providers-who-easily...
It is now so absurdly easy to do, all my personal projects just have valid SSL by default now, even on my internal LAN. All letsencrypt needs is proof of domain ownership- thanks to DNS TXT records, no one needs to host a website/port forward to accomplish that.
One downside is the PoE hats are massive
https://pine64.com/product/rock64-4gb-single-board-computer/
Tailscale and wireguard are available for all major devices, including mobile. So, if you do this, your password manager can live anywhere and doesn’t need to be exposed to the main internet at all. You don’t even need SSH/network access to the remote machine, just HTTPS over Wireguard (and local or console access). Everything else can be locked down tight.
I think I'll stick with running my own wireguard thanks.
My solution for the past 14 years has been a simple GPG-encrypted org-mode (text) file. I can get to a password multiple ways from any device. The main way I check one is to open the file in Emacs which prompts for the master password via pinentry. You could also use a keyfile. Usually I just ssh and connect to a tmux session with emacs -nw already running, but I can also decrypt and grep it from the CLI, or clone the private repo its on to do the same locally. I only do anything involving PII or money in a dedicated PureOS VM though, so I generally don't jump through any hoops and it's relatively transparent.
If you want to keep your data secure by keeping them on you, just use a notebook. Cheaper than this and works without a power chord.
This is a bit of attack surface that all hosted cloud solutions share, and it is one that it has never been easier to eliminate.
I am sympathetic (and capable) of self-hosting, but if my instance and my passwords are compromised, the fallout could be catastrophic for me. Am I better of in the long term by just using the BitWarden server and assuming that they have better security than I do, even though they are the even jucier target?
In theory.
It would just be a heck of a lot easier to just use KeePass and save the database on a SD card.
What are the advantages of this setup over carrying a pendrive with am encrypted KeePassXC vault in it?
Building a portable terminal that can emulate a keyboard with a reasonable screen for ease of use seems like a fairly reasonable solution.
> Authorizer is a Password Manager for Android. It emulates an HID keyboard over USB and enters your credentials on your target device. Additionally it supports OTP
It just seems like a HUGE hassle and risk of data loss compared to the classic KeepassXC + Syncthing burrito.
