4

I am using KeePassXC on my laptop, mobile and on my desktop. While I like that I have to re-enter the masterpassword on my laptop, or validate with my fingerprint on mobile, I find it super annoying that I have to re-enter the master-password on my desktop every day.

Is there a way to start KeePassXC with a bash script on boot and enter the password automatically?

I found a similar questione for KeePassX here but its from 2014 and I don't understand the answer.

Adam
  • 2,300
  • 6
  • 33
  • 52
  • This would be a tremendous Security risk if this was possible for most. I personally don't think it's a good idea and Offtopic really for Ubuntu. – EODCraft Staff Feb 13 '20 at 07:10
  • @EODCraftStaff I agree with everything you said except the offtopicness – why wouldn’t using this software on Ubuntu be on-topic? – dessert Feb 13 '20 at 07:11
  • Your wanting a feature for Keepass to be enabled by Ubuntu...Why don't you contact KeePass? – EODCraft Staff Feb 13 '20 at 07:12
  • @EODCraftStaff I was hoping there is a general way in Ubuntu to start a program through bash script. I am not asking to build this as a feature into KeePass. However, I may have found the solution here: https://gist.github.com/dAnjou/b99f55de34b90246f381e71e3c8f9262. I just need to figure out how Keyring works. – Adam Feb 13 '20 at 07:20
  • Looks like a good approach you found there. Please write out as an answer for the benefit of future users if you get it working. You should rather start Keepassx from a launcher in your autostart folder, or manually form a launcher that unlocks it automatically. For sure, that is still less secure than entering the password each time, but it is the freedom of the well informed user to make the balance between security and convenience. – vanadium Feb 13 '20 at 09:12
  • @vanadium the source that I found is using the GNOME keyring, so I would need to unlock this which then automatically unlocks Keepassx. But this just moves the problem to GNOME keyring. Maybe its just the best if I use the Firefox Password Manager for everything I need to access daily and everthing else is Keepassx with masterpassword. – Adam Feb 13 '20 at 16:27
  • The solution still is in the link you mentioned. If you do not want a password at all on your PC, then you still can feed the password directly. – vanadium Feb 14 '20 at 08:04

2 Answers2

7

You can give a password to KeePassXC through standard input on the command line with the option --pw-stdin. Thus, in a most simple way, you can automatically open a KeePassXC database with a command like:

echo <yourpassword> | keepassxc --pw-stdin <path-to-your-database>.kdbx

This compromises security quite seriously compared to entering the password on opening directly, because your password is stored unencrypted in a file on your system.

A more secure option is to use another password vault, such as Gnome Keyring (Source). Your password is stored in an unreadable form, and one needs to be logged in as your user to be able to open KeePassXC or read the password.

You will need to install libsecret-tools for this to work.

First you need to store the KeePassXC password in the Gnome keyring. You can do this with the "Passwords and Keys" tool or with the command:

secret-tool store --label="KeePass <database_name>" keepass <database_name>

Next to a label, you are providing an attribute (here we choose "keepass") and a value (you can use the name of your database (<database_name>) or another string that should not contain spaces).

After login, you can then launch and unlock KeePassXC with the command

secret-tool lookup keepass <database_name> | keepassxc --pw-stdin <path-to-your-database>.kbdx

This option remains significantly less secure than supplying the password yourself while using KeepPassXC, but the well informed user should have the freedom to make the balance between security and convenience.

vanadium
  • 82,909
  • 6
  • 116
  • 186
  • I'm having the same issue as a user who answer-commented. The command works in that it starts KeePassXC and unlocks it, but a prompt to enter the password appears in the terminal window and I never get the cursor back. I tried adding a & to the command, and I could then press Enter to get the cursor back, but is there a cleaner way? – Organic Marble Mar 14 '21 at 14:12
  • @OrganicMarble That sounds as if you use autologin. To avoid any password prompt from Gnome keyring, you may need to set the password of the login keyring to nothing. But then you are probably better of with the `echo` approach. Then, only your KeePassX password is exposed (to someone able to snoop into your files) – vanadium Mar 14 '21 at 16:07
  • Thanks for your reply! I don't use autologin, and the prompt is from keepassxc specifically. Not from the keyring. It all works except the script hangs here wanting an entry. – Organic Marble Mar 14 '21 at 17:21
  • The prompt is `Database password:` – Organic Marble Mar 14 '21 at 17:38
  • Not sure what goes wrong. I use this approach now myself without issues. Could be a wrong reference to the password in secret-tool or a syntax error: without the pipe, keepassc indeed would expect the password from the keyboard in the terminal. – vanadium Mar 14 '21 at 17:41
  • Thanks again for the reply. The database successfully unlocks, it's confusing. I am not smart on bash scripting; I'll continue to look into it. – Organic Marble Mar 14 '21 at 17:43
  • Facing the same issue as @OrganicMarble but I do have autlogin. – Adam Jul 02 '22 at 20:32
  • @Adam if I set the script as an autostart (runs when I log in) it works without issue. It's only when I start the script manually that I get the prompt. In other words, the solution given in this answer works great for me in that it unlocks keepassxc at login without any interaction from me. (I use the second method, that starts with `secret-tool`.) – Organic Marble Jul 02 '22 at 20:42
  • @Adam This is normal behavior. The command starts KeepassXC, so the terminal is locked as long as KeepassXC is not closed, unless you would add `&` to start it in the background. You could also hit Ctrl+Z to suspend KeepassXC, which will release the prompt. The command `bg` then will resume KeepassXC in the background. – vanadium Jul 03 '22 at 08:48
0

Two years old I know.

Heed the security implications, if you simply prefer to have locally stored passwords and have no other persons accessing the computer then this should be just fine. Otherwise, you may prefer to look into getting a yubikey.

I have no experience of them, though I have looked into them and they are used for authentication, which is what you want to do. KeePassXC supports the use of a Yubikey.

With that said, I have a solution to the issue in the comments about the terminal hanging. The following is a little bash script.

Crack open your terminal.

touch KeePassLogin && chmod +x KeePassLogin && nano KeePassLogin

Enter the code following :

#!/bin/bash

secret-tool lookup keepass Passwords | keepassxc --pw-stdin ~/Secured/Passwords.kdbx & sleep 3 ; echo ''

The echo functions as the enter key would. If you are not familiar with nano, ctrl + x and then enter will save the file after you have made the changes.

Added a delay because it appears that the password prompt doesn't always appear in time for the echo. You can try a smaller sleep time if three seconds is too long for you.

Once you are back at the terminal prompt:

./KeePassLogin

You could now add a new startup application with "/path/to/keePassLogin" as the command.

Update I got to thinking about this, the security implications mainly, and with Yubikey coming to mind I chose to implement a little "security minded" addition.

I moved the keepassxc database onto a USB drive. and implemented this.

#!/bin/bash

# File: KeepassLogin check if specific security key is mounted.

while [ -z "$mnt" ]; do
    mnt=$(lsblk --output MOUNTPOINT | grep securityKey)
    if [[ $mnt != "" ]]; then
        secret-tool lookup keepass Passwords | keepassxc --pw-stdin $mnt/KeePassXC.kdbx  > /dev/null 2>&1 &
        sleep 2
        echo "" > /dev/null 2>&1
    fi
    sleep 5

done
exit

Add a startup application to run the file (browse to the file in the startup application gui).

So what this does briefly, at login keepasslogin is set running. it will run every 5 seconds, you can adjust as you see fit, maybe 60 seconds suits you. a loop run until it finds the usb device (lsblk line) I named it securityKey to make it easy to identify. change that to the label of your usbstick.

I have also sent the outputs to /dev/null. so if you do run the script manually, say from a keyboard shortcut then you don't get the unnecessary output in the terminal.

So while its not really a security feature, it's more secure than a database stored on the computer. You could have the database on your person and plug it in as and when needed.

So, it's not a Yubikey, but the idea is in a similar fashion.

CodingInTheUK
  • 146
  • 9