What do you use for syncing your password manager between your Android phone and your PC? Apparently Nextcloud doesn’t support two-way syncing on Android for some reason, and Syncthing-Fork is still untrustworthy since the disastrous handover. The AI generated profile picture of researchxxl doesn’t exactly inspire confidence either, neither does his GitHub bio:
Hi! My name is Jonas and I like to use my coding skills from games and modding to continue work on the Syncthing for Android wrapper.
Everything about this person screams vibe coder.
Bitwarden is an alternative, but I don’t like how non-standard it is. It’s cumbersome to manage and backup, meanwhile the KeePass format is just a file that I can backup wherever and however I want and there are many frontends to choose from.
Have you solved this?
On Android I use KeePassDx Syncthing-Fork. The handover was rough but the maintainer of the Play version joined researchxxl’s team. Many on the Syncthing forum seem to have accepted research which is good enough for me. Also, KeePass’s database in encrypted so no danger there.
Do you store TOTP in a seperate KeePass?
For me swappog between two Keepass DBs is annoying. I can’t find anything that will sync my 2FAs.
Bitwarden.
Paid. Not because I need the added paid features, but because I value it and want to show my appreciation for the developers.
bitwarden
seems odd you say how cumbersome it is to manage and backup (not an issue I’ve faced though) and yet you are using some cumbersome alternative ?
Keepass + syncthing = win
I use Nextcloud + KeepassDX on android and KeepassXC on PC. Have never had an issue. Changes on desktop/phone are propagated virtually immediately across devices.
I use keepass2android and “sync” via its native WebDAV support with my nextcloud instance as the source. Been working great forever.
KeepassXC and Nextcloud. Been working fine for years.
KeePass2Android:
If you’re using a keepass database, Keepass2Android can natively sync with many cloud options including self hosted and generic ones, even without specific “companion” apps. That’s what I use. In my case, it’s backed by my NextCloud, but it used to be Google drive before.
Just also sync the file on your PC, merging changes from different clients is part of the keepass database format and “just works”.
Also VaultWarden works great if your can self host it, but I prefer keepass for a variety of features and integrations.
I use KeepassDX syncing via Nextcloud, works flawlessly. I also used to use Keepass2Android, also works very well.
Can you elaborate on the “nextcloud doesn’t support 2-way syncing on android” statement? I can sync my Keepass database back and forth without issues.
I am also using KeepassDX and Nextcloud. I’ve had this setup for years and never had an issue with syncing.
I’m talking about this issue: https://github.com/nextcloud/android/issues/19
I see where you’re coming from. I also really wanted that in my early days of android and nextcloud. Turns out, nowadays you don’t really need that for most use cases, and definitely not for KeePass syncing. Nextcloud app for android exposes all the files via content framework and KeePassDX can sync two ways via that. Other apps like Keepass2Android even have direct nextcloud support via WebDAV, though these days I prefer KeePassDX a little bit more for unrelated reasons.
I recommend you try either KeePassDX or Keepass2Android and see for yourself.
Also, most file managers support CF and will show you your nextcloud files as if they were real files on the device, even without “real” two way sync, and most other apps will be able to save & open files directly from nextcloud.
Vaultwarden handles the syncing for me.
However I do export backups on both my phone and laptop just in case.
I use passwordstore.org which is basically a bash script that wraps GPG; but there is an Android client as well.
Everything is stored in encrypted files tracked by git. Files are synchronized by git/SSH to a server I run.
I actually used
passmany years ago and I quite enjoyed it, except for the fact that the entry names are presented in clear text. You’d also have to manage your GPG secret which I’m not a fan of (in fact, my password manager is how I usually manage GPG and SSH keys in the first place). On the other hand, I guess you should keep a key file on each device on top of a passphrase even if you use a KeePass database, so I guess that point is moot. There are also no good way to include attachments. At that point Vaultwarden feels more convenient, but the more I’m thinking about it, the more I’m warming up to the idea. We’ll see, maybe I’ll give it a shot again.Thanks for sharing your thoughts!
Edit: I did some quick research and I found this video:
https://www.youtube.com/watch?v=j-qBChKG15Y
It brings up some pretty important security concern that still seem to be relevant.
That entry names are stored in plain text doesn’t bother me; if somebody has broken into my system so well that they’ve copied my password store then the last of my concerns will be if they can easily find out if I have a password stored for example.org or example.net. At that point it doesn’t matter if they can tell that I have a Jellyfin password stored, because that service is running on my server with clients installed on my phone & tablet.
And I handle key storage with a pair of Yubikeys which hold a copy of my private key. It can’t be extracted (only overwritten). There is a physical copy kept on offline, disconnected storage, which could be an attack vector – but if we’re at the point of somebody breaking into my house to target my password management then all bets are off: you don’t need to break my kneecaps with a hammer for me to tell you everything, I prefer to keep my knees undamaged.
For attachments I just add another entry; /services/example.org-otherThing - there’s nothing stopping you from encrypting binary data like an image.
And when it comes to convenience: I have a set of bash scripts that use Wofi to popup a list of options and automatically fill in data. Open example.org click the login field, hit meta-l, type example.org, hit enter and wait a moment: it’ll copy and paste the username, hit tab for me, then copy/paste the password, then copy a bunch of random data into the clipboard buffer like 10 times before copying an empty string another hundred times to flush said buffer. meta-f for username only, meta-g for password only; it’s honestly way more convenient for me than the 1Password setup I use at work.
I understand the point the video is making, but I think it’s irrelevant if you keep the private key on something like a Yubikey.
Are there mechanisms for fully automatic synchronization on every file change and every initialization in the Android and console apps for password-store out of the box these days? Using Syncthing with password-store at the moment to get a user experience as close to that as possible. Had to switch from the Android app to Termux and the CLI because the app no longer supports usage with Syncthing.
There has to be, the PasswordStore app for Android can keep the GPG files in a storage location where other apps can read & write them. All you need is something to handle the synchronization.
I’m a control freak and prefer to do things like that manually, so I just use the built-in git & SSH based method it provides.
