How safe is my kdbx file on the cloud?

Hey everyone! After I switched to a password manager, I decided to back up my kdbx database on both a thumb drive and the cloud*. Is my database safe on the cloud?

The password that I use on my database is a custom diceware password of 19 characters. In theory, that password can’t be cracked anytime soon. The database is also the only thing that uses that password.

Is my database vulnerable in some fashion?

*I am not proud to admit I still use Google Drive


Like a lot of things, it’ll depend on your threat model.

If your threat is just keeping your passwords reasonably secure from a majority of issues, what you’re doing is great. Google has top-notch security to keep your database file safe, and even if they didn’t - all you uploaded was an encrypted database. Even from a privacy POV it’s hard to poke many holes in the approach and give you any legitimate shortcoming of going with Google since this file alone gives them little to no information (My only concern would be the account itself and any privacy implications of having the account in the first place)

If you wanted to take this a step-up, I recommend using your KeePass database with a keyfile that’s strictly kept offline. The keyfile is just a file that’s required alongside your master password to enter the database. With the keyfile, an adversary will now need to:

  • Break into your Google account or get a copy of your database locally
  • Break into the database itself, which given your password information is no easy feat
  • AND they need to have that keyfile

I will manually (offiline) transfer my keyfiles to each my devices so I also have a verification method to enter my database that’s always kept offline. For me, it’s the closest thing to 2FA for KeePass :slight_smile: The especially cool thing is once you point your KeePass client to the keyfile, it’s no less convenient to use than before you used Keyfiles.

Just to summarize:

  • What you’re doing is great
  • If Google is an issue and you’re looking to move away from them in general, you can likely accomplish the same sync via any other platform (Dropbox, MEGA, Nextcloud, etc.) - the provider doesn’t matter much here in the scheme of things as long as they have a history of solid security.
  • I recommend using a Keyfile no matter what you choose to do. (Offline!)
  • If your threat model is on the more extreme end, obviously the best thing to do is to keep it totally offline and merge/sync manually, or use something like Syncthing for a pseudo-cloud sync that’s done locally.

Thanks for taking the time to respond :grinning:

These are some great tips and I’ll see if I can’t integrate them into my daily life. The keyfile is especially interesting since it can be kept on a couple of thumb drives and be used like a literal key.

My threat model is around zone two. I have no particular reasons to keep it around two besides for the fact I love my privacy.
Keep up your good work,