Feature #15297
Replace KeePassX with KeePassXC
100%
Description
KeePassXC is an fork of KeePassX packaged for Debian GNU/Linux
It more actively maintained than KeePassX and could be a sane replacement.
What do you think ?
Files
Subtasks
Related issues
Has duplicate Tails - |
Duplicate | 2018-03-22 | |
Blocks Tails - |
Resolved | 2019-01-05 | |
Blocks Tails - |
Resolved | 2019-01-05 |
History
#1 Updated by intrigeri 2018-02-10 06:24:06
- Subject changed from replace KeePassX with KeePassXC to Replace KeePassX with KeePassXC
- Status changed from New to Confirmed
- Target version set to Tails_4.0
- Parent task set to
Feature #15182 - Type of work changed from Debian to Research
We’ll probably have to do that in Tails 4.0 in order to drop Qt4 (Feature #15182).
#2 Updated by intrigeri 2018-02-10 06:31:52
KeePassX 2.1 will support Qt5 but that’s been in upstream Git for 2.5 years and not released yet. So:
- if KeePassX 2.1 is in Buster: we’ll need to decide purely based on other factors, e.g. UX and cost/benefit of the migration (doc update, possibly migrating data & persistence config, changing users’ habits), integration with the rest of the system and so on
- if KeePassX in Buster does not support Qt5: we’ll need to decide based on the aforementioned factors + the benefits of dropping Qt4 from the ISO + the advantages of shipping a Qt5 password manager (e.g. better accessibility IIRC but I didn’t try recently)
#3 Updated by intrigeri 2018-02-10 06:32:06
- Subject changed from Replace KeePassX with KeePassXC to Consider replacing KeePassX with KeePassXC
- Affected tool set to Password Manager
#4 Updated by jvoisin 2018-02-27 21:35:36
We might want to wait a bit for its codebase to stabilize a bit before considering a move, to avoid issues like bringing down the WiFi or corrupting password databases .
#5 Updated by intrigeri 2018-02-28 08:47:50
FTR this one is caused by a Qt bug and only affects OS X. But regardless, we’ll want to disable favicon fetching if we switch to KeePassXC. And even disallow network access to KeePassXC once AppArmor supports this in Linux mainline.
> or corrupting password databases .
That one is caused by a bug in a beta version of Qt so IMO it is no indication of KeePassXC’s codebase maturity.
#6 Updated by sajolida 2018-03-14 15:36:50
I talked to several people at IFF who were really enthusiastic about KeePassXC as a new active replacement of KeePassX. Two cool features were mentioned to me: diceware passphrase (original code by @micahflee) and two-factor authentication seeding.
#7 Updated by intrigeri 2018-03-22 12:18:28
- has duplicate
Feature #15439: KeePassXC password manager added
#8 Updated by micahflee 2018-07-27 10:12:07
I would love for Tails to switch from KeePassX to KeePassXC. The main reason is KeePassX is a completely abandoned project now, and KeePassXC includes all the same features as well as several new genuinely useful features.
One of these is a Diceware passphrase generator instead of just a random character password generator. (I actually developed the Diceware generator for KeePassX and made a pull request, but because KeePassX is a dead project it got ignored. The KeePassXC project ultimately merged my feature into their project and have since improved the usability.) Another awesome feature is supporting requiring a Yubikey for challenge/response to unlock your passwords.
Also, both of the cited KeePassXC issues above are now closed, btw.
#9 Updated by intrigeri 2018-07-28 03:32:49
Any suggestion wrt. how to handle a pre-existing persistent KeePassX database? More specifically:
- does KeePassXC use the same directory to store its data?
- does KeePassXC automatically import (and if needed, convert) data from KeePassX? if not, is there a way for users to do this manually via a GUI?
#10 Updated by micahflee 2018-07-28 08:17:05
KeePassX and KeePassXC both have (I believe) config files in separate folders. But they deal with the .kdbx password databases in the same way, and they use the exact same format. So it should be simple, you can just load your old KeePassX database in KeePassXC and it will “just work”.
#11 Updated by intrigeri 2018-07-28 09:34:10
> KeePassX and KeePassXC both have (I believe) config files in separate folders. But they deal with the .kdbx password databases in the same way, and they use the exact same format. So it should be simple, you can just load your old KeePassX database in KeePassXC and it will “just work”.
OK. It would be sweet if someone particularly interested in this proposal figured out a nice way to handle this automatically on upgrades. Starting points:
- The Git history of
config/chroot_local-includes/usr/local/sbin/live-persist
has examples of how to migrate persistence settings (to deal with the new directory name). config/chroot_local-includes/usr/local/bin/keepassx
is a wrapper that handled KeePassX 1.x → 2.x migration.- We need a KeePassXC config file that achieves the same as
config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
wrt. making data loss hard and initial config easy, i.e. when saving the DB for the first time, a standard filename in the standard persistent directory is pre-selected.
#12 Updated by intrigeri 2018-09-12 06:59:22
- Parent task deleted (
)Feature #15182
#13 Updated by intrigeri 2018-09-12 06:59:32
- blocks
Feature #15182: Drop Qt4 on Buster added
#14 Updated by hefee 2019-01-04 09:50:59
- Assignee set to hefee
#15 Updated by hefee 2019-01-04 11:01:50
A good starting point:
https://tails.boum.org/doc/encryption_and_privacy/manage_passwords/index.en.html
and this would be needs to updated if switching to KeePassXC.
#16 Updated by hefee 2019-01-04 11:08:37
intrigeri wrote:
> * The Git history of config/chroot_local-includes/usr/local/sbin/live-persist
has examples of how to migrate persistence settings (to deal with the new directory name).
> * config/chroot_local-includes/usr/local/bin/keepassx
is a wrapper that handled KeePassX 1.x → 2.x migration.
so far the fileformat hasn’t changed so we don’t have to update the files itself. I see no need to rename the file to keepassxc.kdbx. Maybe do a backup before starting keepassxc the first time, just in case?
> * We need a KeePassXC config file that achieves the same as config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
wrt. making data loss hard and initial config easy, i.e. when saving the DB for the first time, a standard filename in the standard persistent directory is pre-selected.
the config file is now keepassxc and we can archive the same:
q
config/chroot_local-includes/etc/skel/.config/keepassxc/keepassxc.ini
#17 Updated by hefee 2019-01-04 11:33:01
There is a new kdbx 4:
https://keepass.info/help/kb/kdbx_4.html
KeePassX and KeePAssXC supports both kdbx 3.1
You need to update to this format by hand by switching Encryption Algorithm to “ChaCha20”, and the Key Derivation Function to “Argon2”:
https://keepassxc.org/docs/#faq-security-kdbx4
https://theorangeone.net/posts/keepassxc-2.3-migration/#kdbx4
#18 Updated by intrigeri 2019-01-04 13:50:36
> so far the fileformat hasn’t changed so we don’t have to update the files itself.
Great!
> I see no need to rename the file to keepassxc.kdbx. Maybe do a backup before starting keepassxc the first time, just in case?
Good idea. And drop the migration code we had for Tails 2.x → 3.x.
>> * We need a KeePassXC config file that achieves the same as config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
wrt. making data loss hard and initial config easy, i.e. when saving the DB for the first time, a standard filename in the standard persistent directory is pre-selected.
> the config file is now keepassxc and we can archive the same:
> config/chroot_local-includes/etc/skel/.config/keepassxc/keepassxc.ini
Looks like we don’t suggest making that file persistent so perhaps there’s nothing more to do :)
#19 Updated by intrigeri 2019-01-05 10:48:50
- blocks
Feature #16284: Update doc for KeePassXC added
#20 Updated by Anonymous 2019-01-05 20:23:47
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|3fc38399c0fc5013cec19b09f7b8556197c55b62.
#21 Updated by hefee 2019-01-05 20:28:51
- Assignee deleted (
hefee) - % Done changed from 0 to 70
- QA Check set to Ready for QA
- Feature Branch set to hefee/feature/15297-keepassxc
I made a manual test to upgrade from a Tails 3.11 with KeePassX (at Persistent/keepassx.kdbx) to a Tails 3.11 with KeePassXC and a feature/buster build with KeePassXC. And everytime I could directly start and use KeePassXC. So ready for QA.
#22 Updated by hefee 2019-01-05 20:30:00
- Subject changed from Consider replacing KeePassX with KeePassXC to Replacing KeePassX with KeePassXC
#23 Updated by hefee 2019-01-05 20:30:25
- Type of work changed from Research to Code
#25 Updated by lamby 2019-01-06 08:53:17
- File tails-amd64-hefee_feature_15297-keepassxc-3.12-20190105T2138Z-3fc38399c0.buildlog added
- File 2019-01-06_09-50.png added
- File 2019-01-06_09-50_1.png added
- File 2019-01-06_09-52.png added
- Assignee changed from lamby to hefee
- QA Check changed from Ready for QA to Pass
Testing this branch (attaching .buildlog
)…
Great stuff. Appears to all work as expexted, although it does allow /terrible/ master passwords (eg. “q
”)
(See attached screenshots)
#26 Updated by hefee 2019-01-06 10:28:40
- Assignee changed from hefee to intrigeri
@intrigeri: please merge & commit, as I have no commit access.
#27 Updated by intrigeri 2019-01-06 12:06:08
- Status changed from In Progress to Fix committed
- % Done changed from 70 to 100
Applied in changeset commit:tails|92b4ef1c14185aadb11c1ba9740169ea979736fc.
#29 Updated by Anonymous 2019-01-07 16:40:25
- Status changed from Fix committed to In Progress
Applied in changeset commit:tails|6c249eaa0ff5575a59d852bc84c737265d98be10.
#30 Updated by intrigeri 2019-01-07 19:34:06
- Subject changed from Replacing KeePassX with KeePassXC to Replace KeePassX with KeePassXC
- Status changed from In Progress to Resolved