In the last article we discussed password management tools using server-side technology. These tools are fun and suitable for cloud installations. In this article, we discuss KeePassXC, a simple multi-platform open source software that uses local files as a database.

The chief advantage of this password management software is its simplicity. No server-side technical expertise is required, making it available to any type of user.

Introduce KeePassXC

KeePassXC is an open source cross-platform password manager: it was started as an offshoot of KeePassX, which is a nice product, but not very actively developed. It uses AES for 256-bit keys to store the keys in an encrypted database, which makes it fairly secure to store the database in a cloud device like pCloud or Dropbox.

In addition to passwords, KeePassXC allows you to store all kinds of messages and attachments in an encrypted wallet. It also has a valid password generator that helps the user properly manage his credentials.

The installation

This program is available in both the standard Fedora repository and Flathub repository. Unfortunately, programs running in a sandbox cannot use browser integration, so I recommend installing the program via DNF:

sudo dnf install keepassxc
Copy the code

Create your wallet

To create a new database, there are two important steps:

  • Select encryption Settings: The default Settings are quite secure, and increasing the number of conversion rounds will increase the decryption time.
  • Choose master Key and extra protection: The master key must be easy to remember (if you lose it, your wallet will be lost!). And strong enough, a password with at least four random words might be a good choice. As additional protection, you can select the key file (remember: you must always have it or you won’t be able to open the wallet) and/or the YubiKey hardware key.

The database files will be saved to the file system. If you want to share it with other computers/devices, you can save it on a USB drive or in cloud storage like pCloud or Dropbox. Of course, if you choose cloud storage, it is recommended to use a particularly strong master password, preferably with extra protection.

Create your first entry

Once the database is created, you can start creating the first entry. For Web login, enter a user name, password, and URL in the Entries TAB. You can specify the expiration date of your credentials based on your personal policy, and it’s a nice feature to download the Favicon of your site and associate it with the icon of your item by pressing the button on the right.

KeePassXC also provides a nice password/password generator, you can choose length and complexity, and check resistance to violent attacks:

Browser integration

KeePassXC has an extension for all major browsers. This extension allows you to fill in login information for all specified URL entries.

You must enable browser integration on KeePassXC (Tools menu -> Settings) to specify the browser you want to use:

After installing the extension, you must establish a connection to the database. To do this, press the extend button, then the Connect button: If the database is open and unlocked, then the extender will create the associated key and save it in the database. This key is unique to the browser, so I recommend naming it appropriately:

When you open the login page in the URL field and the database is unlocked, this extension will provide you with all the credentials associated with that page:

This way, you can get Internet credentials through KeePassXC without having to save them in the browser.

SSH Proxy Integration

Another interesting feature of KeePassXC is its integration with SSH. If you use an SSH proxy, KeePassXC can interact with it and add the SSH key you uploaded to the entry.

First, in general Settings (Tools menu -> Settings), you must enable the SSH agent and restart the program:

At this point, you need to upload your SSH key pair to the entry as an attachment. Then on the SSH Proxy TAB, select the private key from the attachment drop-down list. The public key is automatically filled in. Don’t forget to select the two check boxes above to add the key to the agent when the database is opened/unlocked and to remove it when the database is closed/locked:

Now open and unlock the database, and you can log in to SSH using the key saved in your wallet.

The only limitation is the maximum number of keys that can be added to the agent: the SSH server does not accept more than five login attempts by default, and it is recommended not to increase this value for security reasons.


Via: fedoramagazine.org/managing-cr…

By Marco Sarti (Lujun9972

This article is originally compiled by LCTT and released in Linux China