Posted on March 11, 2016

Securely Synchronizing Keepass Databases

It’s ironic how if you search the web for synchronizing keepass databases you’ll still find just use dropbox as one of the main suggestions. While the keepass database file is protected against brute force attacks, if an attacker has access to the database file the only thing that is guaranteed is that the attacker’s job will be very difficult.

As it is mentioned in the keepass website,

(…) nothing prevents an attacker to just try all possible keys and look if the database decrypts. But what we can do (and KeePass does) is to make it harder (…)

So, more than making it harder, I would like to make it close to impossible.

I would like to have a solution which would allow me to backup and (eventually) synchronize any files between computers, such that the files are encrypted before being transmited to some cloud provider.

There’s some ways to accomplish this (Spideroak, Arq, TeamDrive, Tarsnap, Seafile and even just a combination of gpg, tar, gzip and the AWS CLI) but at the end it’s a tradeoff between some not being open source, some being too complex or too expensive, and some not being available for Linux.

At the end, the solution I found most satisfying was Tarsnap.

Parts of it are open source, Colin is well known and repected in the community and publishes a lot on security, encryption and privacy, and the interface is super simple (a CLI akin to tar). There’s still a few things I’m not satisfied with but I can’t get better than this unless I implement something myself.

So, how do you synchronize your keepass database between multiple computers? You just have to use the same key file between the multiple computers and the same backup name:

  1. Register, download the code, compile it, generate a key and a cache directory, as per the instructions;
  2. Copy that key to all the computers where you want to have your keepass file;
  3. Update your .tarsnaprc file on all the computers to use the key you copied;
  4. Now change the keepass file, save it, do a backup;
  5. Go to your other computer and before restoring run run tarsnap --fsck.

That’s it.

Remember to call your backup always the same way and make sure you run tarsnap --fsck before you restore or backup and that should be it.