How should I sync KeePassDX?

What would be a good and secure way to sync the database between several devices?

I have used KeePass2Android, but it is not longer recommended by PrivacyGuides. It doesn’t support clipboard protection feature in Android 13 and it shows the passwords in clear text when you copy them to the clipboard.

I don’t mind using a cloud service such as Dropbox. The main concern is that I’ve seen people reporting issues with KeePassDX, because the app doesn’t support the same level of integration with a cloud provider such as Dropbox just like KeePass2Android does. I’ve seen people complaining that they’ve suffered data loss before when the conflicting changes from multiple devices overwrote the database file instead of syncing the changes.

Welcome and thanks for your post.

A good and secure option that works for me is to dedicate one device as a primary device. Maybe you use Android 13 device as your primary device, as I do. This is where I update and change passwords, edits in general.
I use a file sync program depending on the other devices and treat those devices as a functional database and a back up. It is easy for me to make my edits on my primary device just because my use case work flow. As I use these secondary devices I update their file.

Mentioned in another comment as this is a common topic. NextCloud and Cloudamo were used as a cloud storage, a small thumb drive was used for that set up like 16G. I say used, as I took NextCloud down for unrelated reasons. The set up worked out for maybe 3 or 4 devices each editing the same file.

Carried in my pocket daily is a SanDisk Ultra Fit USB 3.1 Flash Drive which, at work I use a lot of windows machines. On this flash drive Portable apps is set up with FreeFileSync and very frequently I update a stored KeePass file. Just adding another option.

I use multiple programs on multiple systems, you have options.

2 Likes

An option that worked pretty nicely for me was Syncthing

This would sync locally on the same network, so perhaps not instant real-time syncing, but when I set up Syncthing to test database syncing across 3+ devices, it worked incredibly well with no issues. Every time I came home everything would magically sync up by the time I got to unlocking my database.

Aside from that, there aren’t many cloud providers I found that integrated very smoothly with KeePassDX. It’s also worth outlining that those missing security features from KeePass2Android doesn’t make it an inherently avoidable piece of software. PrivacyGuides IMO could have more lenience on their recommendations with some warnings instead of complete delistings, but that’s obviously my opinion. @Jonah and I don’t agree on everything :stuck_out_tongue: (Edit: I haven’t formally looked into this issue myself, it may be quite serious, I’m just relaying a general observation of mine that may carry into this realm)

What I think we do agree on is you should evaluate those missing features in K2A and see if that is likely to impact your threat model and the convenience of having a usable Password Manager.

I agree, PrivacyGuides are often a bit too strict. However, in this case I agree with them, because when you copy passwords or protected fields in KeePass2Android, it pops up the clipboard preview with the content in clear text. Apparently, the developer hasn’t updated the app to comply with the newest standards in Android to hide the protected clipboard contents. That’s the reason I’m looking for another way to handle password management.

I like the idea of Syncthing, but I’d rather go with a cloud storage provider, because I get an extra backup with file versioning there.

I still wonder how database conflicts could be handled when using KeePassDX. Assume both my phone and my laptop are offline and I make changes to the database on both devices. What happens when they are back online? I assume no matter if you use Syncthing or a cloud provider, they won’t be able to resolve the conflicts and merge the entries in the database, because the database is encrypted?

In the past using NextCloud, cloudamo the file in the cloud was my primary file. The file on my phone and personal thumb drive were the back ups. This assignment prevented conflicts.
This is all past tense as the NextCloud set up is down.
Though I would steer away from Google Drive as a cloud service. The encryption is strong and you can depend on that to build a system.
Digital minimalism seems to be a goal only because there is a plan. My KeePass entry have grown as one folder is just for shared passwords with family. One folder is just for a friend, yes he text me in plain text his work credentials and his google credentials to get in his phone.
Recently created an Alias, created an new folder just for the alias. Got a new thumb drive that I decided to make a persistent TailsOS. Sure enough there is KeePassXC. Should I store Wi-Fi passwords there, why not.
This is got me to thinking it is time to split this file up and treat them in different threat models.
Family shared for example could be cloud sync. Perhaps my Alias could be pulled off my phone all together.

I have looked into this a bit to see what happens when you use KeePassXC on a computer and KeePassDX on a mobile phone.

When you make changes to the database on both devices and sync them, as expected, the changes are not merged. Instead, a conflicting file gets created that needs to be resolved later by the user.

I have done this test using both Dropbox and Syncthing and can confirm that conflicting files get created in both services.

Dropbox:
keepass_test

Syncthing:
keepass_syncthing

Therefore, as @Perk1ns suggested, the most reasonable option would be to only make changes to the database on a single primary device and then let it sync to others. This way the conflicts can be avoided.

Of course, this means the added inconvenience of not being able to update your database from a secondary device.

I’m still thinking about possible solutions. Maybe I could use the computer as a primary device and when I need to make changes on a mobile phone, I could just note things down in Standard Notes and then deal with the database update later when I’m back on my computer.

This is exactly what I’ve been doing the last few years after a similar record conflict. Didn’t find any solutions after minimal searching, so I just tabled it for “later”. My guess is the KP database doesn’t handle field-level synchronization- at least not well. So its not an ideal setup, but it works for now & is far better than the nightmare that is LastPass.

What I’d most like to improve is the file/data security. Though the file is protected with KeePass encryption, I’d feel much more at ease if the entire Nextcloud drive/folder was encrypted. I already use Cryptomator, but haven’t installed on Android yet. So I’m not sure what complications this would add to accessing a KP file on the fly while mobile.

because the files are so small i just copy & paste them between devices

You have answered it yourself. Don’t use it. A cloud based alternative like bitwarden is better if you want the cloud syncing.

Edit:
I have recommended not to use Keepass2Android. KeepassXC and KeepassDX are fine tools for your security. Any confusion is regretted @HistrionicPerson .

Wrong. He just wasn’t aware of all KeepassDX’s capabilities.

This won’t happen with the Magikeyboard in KeepassDX. Read the Form Filling section of the app Wiki. A small blurb:
" The Magikeyboard is an Android keyboard specially designed to fill in forms securely with the elements of a database entry.

This automatic fill mode does not depend on the auto-fill services of the device, and does not share its info with other apps. This is the safest way to fill a form with an entry."

True! Could even use Signal’s “Note to Self”, which i use almost every day to transfer files or links between my devices.

The quote you’re referring to is about KeePass2Android. That’s the reason why I’m considering switching away from it to KeePassDX. It (KeePassDX) has clipboard protection and Magikeyboard!

Have you tried Bitwarden? I was using KeePassDX and XC like you, and I never found a good solution (Nextcloud, Syncthings…).
Bitwarden works perfectly on Android and with a browser extension on computer.

This… funny - I use signal all the time to ‘sync’ information between computers.

Like others here - I maintain my keypass db on a single device (my primary laptop). I then upload it to my nextcloud server and then send the file via signal to my other devices. The Nextcloud keypass app works well also.

I will offer that I am starting to use KDE more and more - as it works well between all my machines and my android device.

I don’t put Signal on every device but KDE connect goes on about everything.