Read the update at the bottom.



Problem

I’ve arrived at the point that I’m fed up with the f* passwords. I can’t memorize them all so I usually write them in an exercise book that I keep at home. But what if I need something from it at my workplace? On the other hand, this booklet is already full (with other pieces of info too), so when I need a password from it, I need to search it for minutes… Damn. It would be so nice if I had all this information in a file on my machine but in a secure way.

Solution

The ideal solution is a password manager. But which one to choose? There are a lot. Since I also use Windows from time to time, I needed a cross-platform solution. First I thought of using a command line manager but finally I decided to use a graphical one; after all it looks nicer and easier to use (and I didn’t want to learn new command line options that I forget if I don’t use it for a few weeks…). This is how I got to KeePassX, which perfectly fulfills my needs. It’s also in the Ubuntu repos.

As I use several machines, the password database should be available everywhere. So let’s store it on Dropbox. But how safe is it? Well, it’s rather safe; your KeePassX database has a master password, which uses an AES-256 encryption but still… the devil never sleeps. Could we add an extra layer of security?

Yes, we could. With TrueCrypt you can create an encrypted file that can be mounted as a new volume (as if you had attached a USB stick for instance). I put the KeePassX database on this volume. Thus, in order to use the database, first I must mount the container file as a TrueCrypt volume, and then I can open the database file, but it also asks for the master password. Now I dare put the TrueCrypt container file on Dropbox :)

So, here is my setup (summary):

Create a KeePassX database and provide a master password. You can change this password later under the File menu. It uses AES-256 encryption.

Create a container file with TrueCrypt. The KeePassX database is very small so I set the container’s size to 1 MB. Encryption algorithm: AES-Twofish-Serpent cascading encryption with the XTS method. Hash algorithm: Whirlpool (tip from here). Of course, use a different password for this container file than for the KeePassX database. The TrueCrypt password should be long (20 to 30+ characters).

Mount the container file and move the KeePassX database on the mounted volume.

OK. So far so good. But how to use the database painlessly? I made a simple script that mounts the container file and then opens the database. Just customize the constants in the header part. Launch it and simply type in the passwords. Instead of one password (for the database), you will have to provide two extra ones (for the TrueCrypt volume and your root password for being able to mount a new volume). I think this sacrifice is worth considering the additional security you gain. It may be a bit paranoid but on the Internet be paranoid. You know: Trust is a weakness :)

#!/usr/bin/env python """ Start KeePassX. Mount the truecrypt container if necessary. by Jabba Laci 2013 (jabba.laci@gmail.com) https://ubuntuincident.wordpress.com/2013/04/14/keepassx-truecrypt-dropbox/ """ import os TRUECRYPT = '/usr/bin/truecrypt' KEEPASSX = '/usr/bin/keepassx' # CONTAINER_FILE = "{home}/Dropbox/keepassx/container.dat".format( home=os.path.expanduser('~') ) MOUNT_POINT = '/media/truecrypt9' KDB = '/media/truecrypt9/JabbaDB.kdb' def mount_truecrypt_file(): """ Open the truecrypt container file that includes the keepassx database. """ if not os.path.isfile(KDB): cmd = 'sudo {tc} {container} {mount}'.format( tc=TRUECRYPT, container=CONTAINER_FILE, mount=MOUNT_POINT ) print '#', cmd os.system(cmd) else: print '# container already mounted to', MOUNT_POINT def open_kdb(): """ Open the keepassx database file on the previously mounted volume. """ if not os.path.isfile(KDB): print "Error: the container file was not mounted." else: cmd = "{kpx} {f} &".format(kpx=KEEPASSX, f=KDB) print '#', cmd os.system(cmd) def main(): mount_truecrypt_file() open_kdb() ################################################################### if __name__ == "__main__": main()

[ comments @reddit ]

Update (20130501)

After two weeks of usage, I think adding truecrypt is an overkill. The problem is the following: I want to use this keepassx database on several machines, that’s why I put it on dropbox. That’s fine. But each time I need to mount the truecrypt volume that I often forget to dismount. At my workplace my machine is always on, so sometimes (often) I leave the volume mounted when I go home. If I want to add a new password to the database at home, dropbox creates a conflicted copy of the truecrypt file when I save the keepassx database. So I end up with two different databases that I will have to merge manually. It’s already happened to me 2 or 3 times…

So I removed truecrypt from the chain. Now I have a keepassx database (with a long password) stored on dropbox. I only have to pay attention to close keepassx when I leave my workplace but it’s feasible: when I copy a password from it, I close it immediately.