1. Information

  • Keeping the .keyx files separate from the .kdbx files, minimizes accidental deletion.
    It also allows easier .kdbx database file selection when having multiple KeePass databases.

  • Storing the files on the P:, T: or U: drive, ensures everything is backed up.

  • Only for the IT Department, additional backups are needed to prevent being locked out.

    • When the file server is down, IT staff cannot access the password manager.

  • Often used passwords should be given a name to identify what they are used for.

  • Make sure these passwords are stored in a .kdbx database.

    Password Name                   Password Database
-------------------------       -----------------
<Company> Admin
<Company> Level 1
<Company> Root
<Company> <User>
<Company> SSH Private Key       <Company>.kdbx

1.1. Departmental Password Manager

  • The T:\<Department>\KeePass folder contains one or more .kdbx database files.

  • The T:\<Department>\KeePass\KeyFile folder contains one or more .keyx key files.

  • All department staff have read-only permissions to the T:\<Department>\KeePass folder.

  • One or more department staff have modify permissions to the T:\<Department>\KeePass folder.

  • The department staff can choose the name for the .kdbx database file.

  • However, both the .kdbx and .keyx files should have the same base name.

1.2. Personal Password Manager

  • The U:\<User> folder contains the <User>.kdbx database file and an optional <User>.keyx key file.

  • The user can use a key file, a password, or both to unlock the password database file.

2. Linux

2.1. Installation

  • Enter the following commands at a Command Line.

    sudo apt-get install keepassxc keepassxc-cli

2.2. Configuration

2.3. SSH Agent

2.4. Usage - CLI

  • Enter the following commands at a Command Line.

    DBFILE="/media/Teams/IT/KeePass/SMRU.kdbx"
KEYFILE="/media/Teams/IT/KeePass/SMRU.keyx"
TITLE="Mimecast - Douwe"
keepassxc-cli show --all --key-file "${KEYFILE}" --no-password --show-protected "${DBFILE}" "${TITLE}"
    Title: Mimecast - Douwe
UserName: douwe@shoklo-unit.com
Password: ****************
URL: https://login-uk.mimecast.com/u/login
Notes: Mimecast ID:02-0092-00409

Uuid: {2f01b15c-6c9d-1e49-8416-ef1f31f15112}
Tags:
TimeOtp-Secret-Base32: **************************

3. Windows

3.1. Installation

  • Run the KeePassXC-2.7.12-Win64.msi file with administrative privileges.

  • Click Next.

  • Check I accept the terms in the License Agreement.

  • Click Next.

  • Check Create a shortcut on the desktop.

  • Uncheck Autostart KeePassXC on login.

  • Check Add KeePassXC to the PATH environment variable.

    C:\Program Files\KeePassXC

■ Create a shortcut on the desktop
□ Autostart KeePassXC on login
■ Add KeePassXC to the PATH environment variable

  • Click Next.

  • Click Install.

  • Uncheck Launch KeePassXC.

  • Click Finish.

3.2. SSH Agent

  • Enable and start the OpenSSH Authentication Agent (ssh-agent) service.

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    Get-Service -Name ssh-agent | Set-Service -StartupType Automatic
Start-Service -Name ssh-agent

4. Customization

  • Start KeePassXC.

  • Select Tools > Settings.

  • Select the Security page.

  • Set Clear clipboard after to 30 seconds.

  • Uncheck Lock databases after inactivity of.

    Timeouts                                Default         Custom
------------------------------------    -------         ------
■ Clear clipboard after                 10 sec          15 sec
□ Lock databases after inactivity of    900 sec         900 sec
□ Clear search query after              5 min           5 min

  • Uncheck Lock databases when session is locked or lid is closed.

  • Click OK.

  • Close KeePassXC.

4.1. Browser Integration

  • Start KeePassXC.

  • Select Tools > Settings.

  • Select the Browser Integration page.

  • Select the General tab.

  • Check Enable browser integration.

  • Check Chrome, Vivaldi, and Brave.

  • Check Chromium.

  • Check Firefox and Tor Browser.

  • Check Edge.

  • Check Request to unlock the database if it is locked.

  • Check Match URL scheme (e.g., https://example.com).

  • Uncheck Return only best-matching credentials.

  • Uncheck Allow returning expired credentials.

  • Check Search in all opened databases for matching credentials.

  • Select the Advanced tab.

  • Click OK.

  • Close KeePassXC.

Install the KeePassXC-Browser extension in the browser.

4.1.1. Google Chrome

  • Start Google Chrome.

  • Select Three-dots menu > Settings.

  • Select Extensions.

  • Select Chrome Web Store.

  • Type KeePassXC in the search bar and press Enter.

  • Select KeePassXC-Browser.

  • Click Add to Chrome.

  • Click Add extension.

  • Select KeePassXC-Browser | Details.

  • Select Extension options.

  • Select the CONNECTED DATABASES page.

  • For each .kdbx database.

    • Open KeePassXC and select a .kdbx database and make sure it is unlocked.

    • Go back to the browser and click Connect.

    • Type Chrome-<Database>.

    • Click Save and allow access.

  • Close Google Chrome.

4.1.2. Microsoft Edge

  • Start Microsoft Edge.

  • Select Three-dots menu > Settings.

  • Select Extensions.

  • Click Get extensions for Microsoft Edge.

  • Type KeePassXC in the search bar and press Enter.

  • Select KeePassXC-Browser.

  • Click Get.

  • Click Add extension.

  • Select KeePassXC-Browser | Details.

  • Select Extension options.

  • Select the CONNECTED DATABASES page.

  • For each .kdbx database.

    • Open KeePassXC and select a .kdbx database and make sure it is unlocked.

    • Go back to the browser and click Connect.

    • Type Edge-<Database>.

    • Click Save and allow access.

  • Close Microsoft Edge.

4.1.3. Mozilla Firefox

  • Start Mozilla Firefox.

  • Select Hamburger menu > Settings.

  • Select Extensions & Themes.

  • Type KeePassXC in the search bar and press Enter.

  • Select KeePassXC-Browser.

  • Click Add to Firefox.

  • Uncheck Allow extension to run in private windows.

  • Click Add.

  • Check Pin extension to toolbar.

  • Click OK.

  • Select KeePassXC-Browser | Three-dots menu > Manage.

  • Select Run in Private Windows | Allow, otherwise the Options menu item is not available.

  • Select KeePassXC-Browser | Three-dots menu > Options.

  • Select the CONNECTED DATABASES page.

  • For each .kdbx database.

    • Open KeePassXC and select a .kdbx database and make sure it is unlocked.

    • Go back to the browser and click Connect.

    • Type Firefox-<Database>.

    • Click Save and allow access.

  • Close Mozilla Firefox.

Is this really needed?

  • Enable Automatically fill in relevant credential entries.

  • Enable Automatically fill in single TOTP entries.

  • Firefox: Use Alt+Shift+O to paste the TOTP code.

4.2. Create Database File

  • Start KeePassXC.

  • Select Database > New Database.

  • Type <Database>.kdbx in the Database Name field.

  • Click Continue.

  • Click Continue.

  • Type the master password in the Enter password field.

  • Type the master password in the Confirm password field.

  • Click Done.

  • Select the T:\<Department>\KeePass folder.

  • Type <Database>.kdbx in the File name field.

  • Click Save.

  • Close KeePassXC.

4.3. Create Key File

  • Start KeePassXC.

  • Click Open Database.

  • Select a <Database>.kdbx file and click Open.

  • Type the master password and click Unlock.

  • Select Database > Database Settings.

  • Select the Security page.

  • Select the Database Credentials tab.

  • Click Remove Password.

  • Click Add additional protection.

  • Click Add Key File.

  • Click Generate.

  • Select the T:\<Department>\KeePass folder.

  • Type <Database>.keyx in the File name field.

  • Click Save.

  • Click OK.

  • Click Continue without password.

  • Close KeePassXC.

4.4. SSH Keys

Make sure the OpenSSH Client is installed.
Enable the SSH Agent integration plugin.

  • Start KeePassXC.

  • Select Tools > Settings.

  • Select the SSH Agent page.

  • Check Enable SSH Agent integration.

  • Choose Use OpenSSH.

  • Click OK.

  • Close KeePassXC.

4.4.1. Linux

Todo

4.4.2. Windows

  • See tools/ssh.adoc.

    Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\rdp]
"URL Protocol"="URL:RDP Protocol"

[HKEY_CLASSES_ROOT\rdp\shell]

[HKEY_CLASSES_ROOT\rdp\shell\open]

[HKEY_CLASSES_ROOT\rdp\shell\open\command]
@="cmd.exe /v:on /c set params=%1 && set params=!params:rdp://=! && start \"\" \"C:\\Windows\\System32\\mstsc.exe\" /v:!params:/=!"
    Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\ssh]
"URL Protocol"="URL:SSH Protocol"

[HKEY_CLASSES_ROOT\ssh\shell]

[HKEY_CLASSES_ROOT\ssh\shell\open]

[HKEY_CLASSES_ROOT\ssh\shell\open\command]
@="wt.exe ssh.exe %1"

5. Usage

5.1. SSH Keys

Create a company wide or a personal SSH key pair.

  • Generate a private/public SSH key pair and store the keys in the Password Manager.

# Linux: Generate and save keys in the "/tmp" folder.
ssh-keygen -C info@<domain>   -f /tmp/id_ed25519 -t ed25519
ssh-keygen -C <name>@<domain> -f /tmp/id_ed25519 -t ed25519

# Windows: Generate and save keys in the "C:\Users\<User>\AppData\Local\Temp" folder.
ssh-keygen.exe -C info@<domain>   -f %TEMP%\id_ed25519 -t ed25519
ssh-keygen.exe -C <name>@<domain> -f %TEMP%\id_ed25519 -t ed25519

  • Paste the <Company> SSH Private Key passphrase and press Enter.

  • Type the <Company> SSH Private Key passphrase and press Enter.

Add the SSH key pair.

  • Start KeePassXC.

  • Click Open Database.

  • Select a <Database>.kdbx file and click Open.

  • Right click the <Company> SSH Private Key password entry and select Edit Entry.

  • Select the Entry page.

  • The username will be used as a key name in the agent (ssh-add -l).

  • The password will be used to unlock the key if it’s password protected.

  • Select the Advanced page.

  • Click Add file > Load from Disk in the Attachments panel.

  • Select the private key and click Open.

  • Click Add file > Load from Disk in the Attachments panel.

  • Select the public key and click Open.

  • Select the Auto-Type page.

  • Uncheck Enable Auto-Type for this entry.

  • Select the SSH Agent page.

  • Check Add key to agent when database is opened/unlocked.

  • Check Remove key from agent when database is closed/locked.

  • Uncheck Require user confirmation when this key is used.

  • Uncheck Remove key from agent after 600 seconds.

  • Choose Attachment and select the id_ed25519 private key stored in the Attachments.

  • Select the Browser Integration page.

  • Check Hide this entry from the browser extension.

  • Uncheck Skip Auto-Submit for this entry.

  • Uncheck Use this entry only with HTTP Basic Auth.

  • Uncheck Do not use this entry with HTTP Basic Auth.

  • Click OK.

  • Close KeePassXC.

  • Remove the SSH keys from the file system.

    # Linux.
rm -f /tmp/id_ed25519*

# Windows.
del C:\Users\<User>\AppData\Local\Temp\id_ed25519*

  • Enter the following commands at a Command Prompt.

    where ssh-add           # C:\Windows\System32\OpenSSH\ssh-add.exe
ssh-add.exe -l          # Error connecting to agent: No such file or directory
ssh-add.exe -l          # The agent has no identities.
ssh-add.exe -l          # 256 SHA256:eKrlNhMeMHd9XRYylZL/Op04ZeBvJETFDbOZqtT1gaU info@grendelgames.com (ED25519)
ssh-add.exe -l          # 256 SHA256:+YfvDcXErjmuRPmPfRQhN7+zRIFHkcvP4MtojNmegks smru@HOMENB-FRL01 (ED25519)

Add the public SSH key to the authorized_keys file on the server.

  • Start KeePassXC.

  • Click Open Database.

  • Select a <Database>.kdbx file and click Open.

  • Right click the <Company> SSH Private Key password entry and select Edit Entry.

  • Select the Advanced page.

  • Select the id_ed25519.pub public key.

  • Click Edit.

  • Copy the contents of the public key.

  • Click Cancel.

  • Click Cancel.

  • Close KeePassXC.

  • Log on with SSH to the remote server using password authentication.

  • Linux: Paste the contents of the public key in the /home/<user>/.ssh/authorized_keys file.

  • Windows: Paste the contents of the public key in the C:\Users\<User>/.ssh/authorized_keys file.

  • Restart the OpenSSH Server.

    • Linux: sudo systemctl restart ssh

    • Windows Command Prompt: net.exe stop sshd && net.exe start sshd

    • Windows PowerShell: Restart-Service -Name sshd

5.2. SSH

  • Note: Add the

  • For SSH entries you can add ssh://<user>@<host> and

5.3. TOTP

  • Start KeePassXC.

  • Click Open Database.

  • Select a <Database>.kdbx file and click Open.

  • Right click a password entry and select TOTP > Set up TOTP.

  • Paste the 2FA/MFA secret in the Secret Key: field.

  • Click OK.

  • Close KeePassXC.

6. Other