I mostly agree! However, I plan on posting an article on HN soon discussing some of the issues with the .kdbx file format that KeePass and derivatives use within the next couple of days. KeePass has such great potential, but falls short compared to some of its (local) competitors.
It's not centralized, of course; you still have to download the entire database, and then potentially upload the entire database again for any changes; but it doesn't have these vulnerabilities.
Haha this was a powermove. It is genuinely great that since it’s just a file you can host it anywhere you want. S3, WebDAV, your own site. I personally use copyparty and WireGuard for my kdbx file. I find it better than syncthing because there’s an obvious master copy (edited in place), and there’s no good way to keep syncthing running all the time on iOS, which can lead to sync conflicts.
The database is encrypted, so theoretically it doesn't matter if other people have it, but what a chad. I suppose these are not your real passwords, or are low-value ones, because there could be zero-days we don't know about.
I recently orchestrated this, although in my case I've chosen to use 1password's cloud based store as my primary secret store, so I'm accepting some exposure right off the bat that you might not be comfortable with.
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
I sync the database to my phone, and a couple of other devices too with syncthing. I need it on my phone anyway to log into accounts while I'm out and about.
Well, the same issue exists for your BitWarden recovery keys or 2fa method. You need to have proper and redundant off site backups for anything valuable.
One of the things the article touches on is encouraging these vendors to migrate their customers to more secure/modern security standards. How is this handled with KeePass with it being, by its very nature, decoupled?
Not the parent, but a heavy user of Keepass. When you unlock your database, you can re-key it with several options for encryption algorithm, key derivation, and the transform rounds. I also have it set up with my Yubikeys as a kinda-sorta two factor for an added layer of security.
To keep the encryption modern regular updates are made to the program, and any migration would happen when re-encrypting the database. Checking my earliest entry, I've used it for 15 years without a hiccup.
wps|8 days ago
delichon|8 days ago
arunc|8 days ago
LoganDark|8 days ago
It's not centralized, of course; you still have to download the entire database, and then potentially upload the entire database again for any changes; but it doesn't have these vulnerabilities.
wps|8 days ago
ASalazarMX|6 days ago
And I was queasy of hosting mine on Dropbox.
spacebuffer|8 days ago
eblume|8 days ago
I've documented the recovery process here: https://docs.eblu.me/how-to/operations/restore-1password-bac...
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
It was fun to build!
JamesLeonis|8 days ago
judofyr|8 days ago
wps|8 days ago
unknown|8 days ago
[deleted]
Telaneo|8 days ago
Someone1234|8 days ago
JamesLeonis|8 days ago
To keep the encryption modern regular updates are made to the program, and any migration would happen when re-encrypting the database. Checking my earliest entry, I've used it for 15 years without a hiccup.