We have split-gpg that allows a VM to use gpg as if all keys were local, but any request to actually perform an operation has to be validated by the user before it’s handled by the gpg VM.

Has anyone looked at the ability to do the same for the keypassx browser extension? The idea being that instead of consulting the local keypassx database, it would make a request to the keypassx VM instead. In principle, this should be doable, and for quite some time I’ve been tempted to try to do it myself, but before doing so I wanted to know if anyone else has experimented with this.

Is this something that has been mentioned? Are there any experiments that could be shared so I don’t have to start from scratch?


It is definitely doable, but you need to check twice what kind of secrets are to be accessible this way.
Here is a new discussion: https://forum.qubes-os.org/t/keepassxc-security-and-single-backend-for-all-qubes-and-healthy-password-management-practices/