Apr 102012
 

After using KeePass Password Safe on my computers combined with KeePassDroid app on my Android phone for over a year, I recently looked into alternative password management solutions again, only to confirm this is still my favorite combination due to its security, flexibility, and price ($0), especially after I started using Dropbox for synchronization of password files across our family devices and computers.

KeePassDroid Limitations

Although I always recommend KeePassDroid to disciplined users, it used to lack convenient synchronization because it required mostly manual updates (copying the password file) between multiple computers and phones. Most users did it via the USB cable, and some people used a “semi-cloud” synchronization by emailing the database as an attachment to self for both easy access from their other computer/phone and as a backup copy, but that was still awkward. To make things worse, after KeePass desktop got upgraded to version 2.x, KeePassDroid wasn’t doing it justice because it remained fully compatible only with the older .kdb file format (version 1.x), while it only adopted read-only functionality with .kdbx files (version 2.x), meaning that if you ever changed a password from your phone or tablet, you had to go to a PC to update the password database and copy the newer one back to the device.

Workarounds

After (still) waiting too long for KeePassDroid’s read-write compatibility with KeePass 2.x version files, most Android users are losing patience and abandoning KeePass. I wanted to move away from it as well, but the below reasoning made me stay. To eliminate the last piece of the puzzle preventing me from going wholeheartedly back to KeePassDroid, I checked what I’d be losing if we switched back to the older KeePass version 1.x for full compatibility with outdated KeePassDroid. Although v2.x has more features, it turned out I wasn’t using any of them.

The older version has no built in synchronization for online files, but (so far) I find Dropbox sync so simple and easy that I won’t miss that feature. If KeePassDroid finally gets improved or if there’s a new compatible Android app based on KeePass (hear me, developers) then I’ll upgrade back to KeePass 2.x, but until then I’m perfectly OK with its older version. Moreover, it seems that both versions of KeePass are still being worked on, last edition of 1.x having been released in October 2011, much after I started using version 2.x.

After exporting my KeePass v2.x database (.kdbx extension) back to the 1.x format (.kdb extension) on my PC and double-checking that I wasn’t missing anything, I installed the older KeePass on our computers (actually you just copy the program folder) and added KeePassDroid to my wife’s phone. Proceeding toward my desired ultimate synchronization goal, I configured Dropbox synchronization between her phone and PC and added a folder for the KeePass password file. I did the same with my database file on my computers and android gadgets. Now we can both read and write to our password databases from our phones.

KeePass Database File in Dropbox Android App

Since I’ve read about some problems with synchronization on earlier version of Dropbox, I was playing it safe and copying the password store file from Dropbox app to the local disk each time before and after use (if updated), but that was too cumbersome.

Then I learned a very important trick: to keep the password file synchronized and accessible on your phone even for offline use, you need to make it a favorite (long-press the file and select “Favorite”) in the Dropbox Android app.

Once added to favorites, the synchronized database password file can also be found on the sdcard in folder Android/data/com.dropbox.android/files/scratch/FOLDERNAME (replace “foldername” with whatever your folder is) but I keep that information only if I need to access and copy the file from outside the Dropbox app. So far Dropbox and opening the file from it has been working flawlessly.

Installation and Configuration

Armed with this knowledge, I configured my wife’s password store and synchronization as follows:

1. Install Dropbox and KeePass on the PC
2. Place the (new or existing) password file in a folder within the synchronized Dropbox folder on computer.
3. Install KeePassDroid on the Android gadget (phone and/or tablet)
4. Install and configure Dropbox app on the Android Gadget
5. Sync the Dropbox folder with online folders and mark the KeePass password file “favorite” for better synchronization and offline use.

Each time you need to use KeePass, open Dropbox App, refresh (optional) and browse to the KeePass password file. When you press it, it should open in KeePassDroid and ask you for the password. Once done, save changes if any and close KeePassDroid, then (optional) refresh Dropbox once more to make sure it synchronized to the cloud and that’s it. If you skip the optional steps the file should still synchronize to the cloud but I don’t know how soon and how often.

That was sweet, but there’s more. I then configured our two Dropbox accounts for sharing of another KeePass database of our joint accounts, so both my wife and I can use and update it on all our gadgets and computers (excluding simultaneous edits).

Rock-Solid Security

Even if my Dropbox account is compromised, the attacker can’t do much with fully encrypted KeePass files (using the same AES encryption standard chosen by the US government). Moreover, I configured it for additional protection by requiring both password and key file for authentication, which was very simple to do. At first I mistakenly assumed that a key file has to be an encryption certificate, but no, ANY file can be selected for a key file – a text, audio, image, pdf, movie, zip, you name it, just make sure it doesn’t change. When opening thus configured KeePass password database, the key file just has to be on the same computer or gadget (even seemingly, if on a removable drive such as a CD, USB thumb drive, SD or microSD card). You put the same key file on all your computers and phones with KeePass or KeePassDroid, while you don’t put it with the database on Drobpox, so even if the attacker somehow figures out the password, the database still can’t be accessed without the key file.

Quick Comparison of KeePass Software

Here is a quick comparison of KeePass v1.x and v2.x Windows software versions. I stuck to the basics, but if you want to see more details use the link below it.

KeePass 1.x

- Can attach one file to each entry
- Locks passwords file when editing (can’t get corrupt even if computer crashes in the middle)
- Doesn’t require .NET installed on Windows PC (also very fast)
- Has no synchronization features, no history
- Allows no entries in the root of the database (must be in a sub-container)

Keepass 2.x

- Was rewritten using .NET
- Has remote synchronization features
- Allows entries in the root of the database tree
- Keeps entries history
- Has full Unicode support
- Allows possible authentication/access via Windows User Account
- Enables custom string fields to be added to entries, for example, you could add a reminder field (take a helmet) to the entry with pod bay door HAL override password.
- Allows import of external icons
- Can attach multiple files to each entry
- Has a multi-user option (for shared file editing)

You can see a full in-depth comparison between KeePass v1.x and v2.x at their web site.

Both Versions

- Extremely secure, particularly with password and key encryption combined
- Easy to configure basics.
- Total portability without any installation and registry/ini files edits – single exe file works when you click on it after unzipping it and pointing it to the database (passwords) file.

Both versions are free, open source general public license software. This has huge advantages in security world because everybody can obtain and review the source code to make sure there are no possible back doors, unwanted recipients or weak spots and risks for your confidential data. When used in combination with KeePassDroid on my Android phone and tablet, KeePass gives me peace of mind and confidence my passwords can be kept secure and different for every account I have. I still hope to see a more up to date Android app for full compatibility with version 2.x.

EDIT June 21, 2012: I recently tested password synchronization between KeePass and KeePassDroid via Google Drive, but that unfortunately doesn’t work as well.

- – - – - – - -

If you find this page helpful you can tip me with a dollar or few using the “Tip Me” link on top.

If you are using KeePass consider donating at http://keepass.info/donate.html

If you are using KeePassDroid you can donate at http://keepassdroid.com

  • Optinicolas

    Great review and walk-through and I heartily agree with your reasoning.
    But… now of course we all want it to work with Google Drive. My attempts have been fruitless, KeepassDroid either misses write access to the .kdb on the phone, or the .kdb keeps getting overwritten from the cloud.
    Have you already tried syncing with Google Drive instead of Dropbox?

    • http://deputycio.com/ Zarko

      Yes, I wanted to try KeePassDroid and KeePass with my Google drive as well, but haven’t done it yet. I’ll post my results here or create another post if I succeed. Thanks!

      • Marco

        @DeputyCIO:disqus  Any progress on the Google drive + KeePass experiment? I’d love to use that combination and finally abandon DropBox :)

        • http://deputycio.com/ Zarko

          I just started testing it, moved the kdb file into the Google Drive folder on the PC, then synchronized and marked the KeePass file for offline use on the phone and I’ll let you know the results.

        • http://deputycio.com/ Zarko

          No success, unfortunately. Perhaps things will get better with time or when there’s an Android app that supports both Google Drive and KeePass. Read more in my new post: http://deputycio.com/7793/google-drive-and-keepassdroid-dont-mix-well.

  • http://www.facebook.com/profile.php?id=2524958 Sam Dey

    I used Google Drive to sync my keepass database with the keepass iphone app. It required a workaround. When I switched to Android, I tried the workaround again, with no success.
    I also tried using save for offline with Google Drive for Android to save the database. I could open the database, but not edit it. The folder Google drive saves it in doesn’t have write permissions.

    • http://deputycio.com/ Zarko

      Thanks, and that’s why I’m still on Dropbox, where the updated file is saved locally and synchronized once connected to the internet. This is crucial at sites with horrible phone reception and/or no WiFi/Ethernet.