Linux geekiness taken professionally

Secrets management with KeePassX

2013-12-01 by Karol Szafrański, tagged as gpg, linux, personalsec

To say that using some way of password management these days is unavoidable is nothing new and dozens of articles were written on that. But for the needs of personal security policy I'll try to put a reasonable summary here based on my experience.


This is my secrets manager (much more than password manager) - of choice. Why secrets? I'll discuss that in a moment. And why KeePassX? First of all it's open source free software. It will never be enough to repeat: you cannot seriously talk about security in anything that is not open source1). It's also proven and cross-platform. Although a newer KeePass 2 that is slightly more versatile can be run on GNU/Linux with mono, it has display issues related to font width in password input boxes which is rather confusing. Also Linux version cannot export data to KDB v1 format. That's why I stick to KeePassX.

As for online services like LastPass - I definitely would not trust such solutions, especially in post-Snowden, post-Lavabit-shutdown era2). I also experienced a sad case with a Polish free email provider around ten years ago: my whole account disappeared without the trace, evaporating two years of my communication. The login name became free, I even set up another account under the same name. I did not violate the TOS, but since I was not a paying customer, their support generally ignored the issue, responding "sorry, it will happen sometimes, we do not back up mailboxes". I'm not going to risk that with all my online access data.

It only begins with passwords

Why have I mentioned secrets manager at the beginning of this post? Because there is much more than just passwords that can - and definitely should - be stored in a secure manner that KeePassX provides. What else to put in as text notes and file attachments?

Yes, it is a lot of data. It's worth compressing the attachments and use separate database files for various stuff. At this point let me remind you some classics on password strength and reuse.

Mom, please put this on the shelf and undust once a week

The worst you can do is have the only copy of backup decryption keys inside the encrypted backup. Also KeePassX's bug or a power outage may thrash your KDB file. Before it happens, make a few external copies. Put one of them on a CD or flash drive and keep it in a bank vault, in your office or a relative/friend's house - offline and offsite.

1) In this case it's a direct quote from Emil Ivov of jitsi project, taken from a session at FOSDEM 2013 - see the video here.
2) Lavabit was a privacy oriented email service used by Edward Snowden. Its founder decided to close the business rather than jeopardize the privacy of his 350k customers by following the secret court order and giving up SSL encryption keys to the authorities that wanted to access Snowden's correspondence. His case has become just one more proof that governments will breach privacy on mass scale unscrupulously even when targetting an individual.