Objective: Secure & private password management, prevent anyone from stealing your passwords.
Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open
Option 2: Use ProtonPass or similar solution like Bitwarden
Option 3: Host a solution like Vaultwarden
Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills
Keepass on phone, desktop and tablet. Sync serverless via Syncthing.
- completely private
- always available when needed
- no dependency on services which may go away
- all open source software
- maximum security
Yup. Same system here. I really like it.
Same here. Home server to which desktop and phone connect with OpenVPN.
Check out tailscale (or headscale)
It lets you connect those devices without necessarily sending all data through your home network when you are remote. (Though that is an option along with many other great features like ssh authentication)
It also uses WireGuard for the backend which is more secure and efficient than openvpn.
Thx! Will check out.
Keepass + syncthing.
Don’t let your vault go unencrypted through the cloud.
Your vault is always encrypted very securly except when in RAM. There is no security concern with uploading it directly to the cloud.
It’s encrypted at rest with a passphrase. Syncthing encrypts it at transit with a random key.
There is a huge difference on the security of those.
Keepass allows you to use a passphrase in combination with a randomly generated keyfile. You only need to copy the keyfiles to your devices once (not via cloud services, obviously). Your actual database can then be synchronized via any cloud provider of your choice (hell, you could even upload it publicly for everyone to see) and it would still be secure.
I use option 1 with Syncthing for a distributed cloud solution
Same, works like a charm!
Ditto, but with Resilio Sync.
I’m very happy with self-hosted Vaultwarden.
Keepass fIle in my own nextcloud instances, synced to my phone so I can also use keepass2android. This way if something happens I at least have another copy of it, beyond my backup system.
that’s actually exactly how I have my setup. I just use syncthing to keep everything dynamically backed up as I add passwords. my main login password is memorized and not written down anywhere so I think I’m good
I do the same, but synced to Dropbox from computers and phone.
I have the Proton password manager as well but not sure yet if I’ll do a full swap over.
Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged
But honestly all services you mentioned are worthy.
Anything that fits your needs imao
That PR might be a while…
https://github.com/bitwarden/mobile/pull/2629#issuecomment-1731457466Considering that android is going to prevent users from importing a CA
Edit:
Wait, I think I have my wires crossed.
I think android is removing the ability for apps to install certs.
The user has to manually install a cert, and then select it in the appEdit again:
Yeh, this is what I was thinking of:
https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/But, thinking about it now, I doubt it will actually affect the feature
“But, thinking about it now, I doubt it will actually affect the feature”
It will not
We don’t need to import a custom CA authority here just to insatll a client cert
Using let’s encrypt is a lot easier to deal with on the client side than modifying CAs, although the initial set up of the server can be a pain in the ass if you’re new to it.
I’ve used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.
Stupid me, didnt even remember using nextcloud instead of commercial clouds. I like it
Option 1, KeePassXC plus SyncThing, done. Works amazing on all my devices.
I’ve never heard of Syncthing, I use Keepass on Windows and my Android, syncing to Dropbox. If I change to Syncthing is it an easy swap, anything I should watch out for?
I used to self host Bitwarden, but didn’t want the hassle of securing it and updating it properly and consistently. So I just pay $10 for bitwarden premium and I get to support the company.
Option 2. It’s the most robust. You’ll never lose it (provided you have the redundancy), you can use it offline, you can transfer it using a USB pen, it’s available in all platforms, including web. I’ve been using this for 8+ years, on my phone, desktop, laptop, company computer, etc. I store it on a personal cloud (and on each machine, of course, by syncing).
I use and prefer option one, but take it a step further in that I host my own cloud service. I used to use Dropbox for years, but we got divorced.
Host your own bitwarden
Option 2: 1Password
I do keypassXC and Syncthing. It’s cross platform with only a couple bucks needed for lifetime access to all all necessary features depending on platform. Besides I use Syncthing for a bunch of other stuff as well, so it fits right into my flow. I’m considering moving to a command line tool simply called Pass, and still syncing with Syncthing, but I’ve yet to pull the trigger on that switch yet.
I also do keepassxc, dx on Android, and syncthing to keep them updated. What is it you paid for?
Bitwarden+vaultwarden, harden the chosen VPS, set SSH to use keys only, then setup fail2ban for webserver and ssh Also consider putting ffsync on it as well for extra browser benefits.
Remember to back that up, and test the back at intervals to make sure they work
Not watertight ofcourse but I love that the bitwarden clients keep a local copy so if the server ever goes down youve still got access just no sync.
goes without saying.
I like this one as well, technically more challenging though