Trying to make and use a KeepassXC Vault

Qubes newbie new to Fedora and coming from years of Ubuntu-based systems. I can use Terminal for some things, but usually prefer the GUI for most things. After watching the Qubes-OS.org Video Tours (and other web tours and guides), I want to have a secure, separate “Vault” domain for my KeepassXC database manager, separate from the other Domains, but from which I can access my usernames and passwords. I have KeepassXC running now in a “red” fedora-30 domain, but I’d like to have another central copy of KeepassXC and it’s database to use with higher security domains. So far I’ve not been able to find a howto anywhere to do this, so I’m hoping for leads please. The official User Documentation doesn’t seem to address this. What I’ve done so far are:

-Work out how to get KeepassXC to work in a fedora-30 VM.
-Use the “Create Qubes VM” program to make a new fedora-30 Domain called KeepassXC.
-Used “Qube Settings” to set networking to disabled, set colour to Black and lastly using Applications I copied KeepassXC across from Available to Selected.
-Copied my Keepass database from the Domain in which I had first installed it and then linked it to the KeepassXC program. In this Domain I can log into KeepassXC and make local changes.

From this point I’m mostly stalled out as to what I need to do next to use the new KeepassXC. Questions which come to mind are:

-Should I leave the original KeepassXC (in the lower security day to day browsing Domain) in place and delete some of the entries there as desired along with using the new KeepassXC just for higher Domains (for things such as credit card accounts, financials, government tax dept, etc)? Or is it safe and preferable to have them all in the higher security “Vault” Domain and delete my lower level Domain Keepass?
-How do I access the new KeepassXC from other Domains such as Work and Personal? I understand this can be done, but how?
-Have I even chosen the proper way to make this “KeepassXC” Domain, or should I have done it another way? Should it be a Service instead of a Domain?

Really enjoying the Qubes so far. Many thanks for any help.

I don’t quite understand the concept of different vaults from a security standpoint apart from compartmentalizing things further.

I do have different databases, one for my daily stuff for example is in the vaultVM and others are on an encrypted USB stick. The database itself is useless without the master-passwords and keyfiles or however you are locking it.

Of course, you could use a 2nd vault for critical accounts you don’t use on a daily basis but I honestly don’t know if this is a more secure way than opening a new database in your vault and just closing it after using it.

I also don’t understand what you mean by the distinction between service and domain?

How do you access other apps? Do you mean how to copy passwords to a specific VM? This is done almost like the usual copy & paste with an additional step for each command:

Update: There are automated ways but I’ve never tried them:
https://groups.google.com/forum/#!msg/qubes-users/p49bTegvM6E/3lfw4BcOCwAJ

Thanks for the reply Raphael.
I don’t quite understand the concept of different vaults from a security standpoint apart from compartmentalizing things further.
I had the impression from the first Qubes-OS.org video tour (beginning at 11:15 mins in, that I might want to make a separate Vault VM for my passwords. So are you saying I only need one vault and that I should place my Keepass program in that vault?

I do have different databases, one for my daily stuff for example is in the vaultVM and others are on an encrypted USB stick. The database itself is useless without the master-passwords and keyfiles or however you are locking it.
I gather from this, that you are saying I should only need one installation of Keepass on my desktop computer to cover everything on the Qubes installation. Is that right?

I also don’t understand what you mean by the distinction between service and domain?
I was a bit confused with all of the learning curve in Qubes. Subsequently I’ve realized it’s a Domain I need.

How do you access other apps? Do you mean how to copy passwords to a specific VM? This is done almost like the usual copy & paste with an additional step for each command:
Do I use the shift-control-c and shift-control-v method each time I need to copy a username and password from a vault’s keepass program? Or I have just thought, do I need to install the Keepass program in a VM’s template for use in the VM and only have the database itself in the vault? I haven’t seen this clearly spelled out anywhere. I think this is now my main bottleneck.

Thanks for your patience.

I think most qubes users use the premade “vault” domain for running their password manager. It looks like you ended up with something similar in your KeePassXC domain.

Copied my Keepass database from the Domain

Copying binary data from a lower-security VM to a higher-security VM is usually not recommended, since you can’t be sure if the lower-security VM didn’t pass a malformed passwords file compromising the higher-security VM. Ideally data flows from a higher security VM to a lower security VM, with any reverse flows being simple textual data you can audit by eye.

How do I access the new KeepassXC from other Domains such as Work and Personal? I understand this can be done, but how?

Just use Qubes copy and paste, FROM the vault VM, TO the AppVM. Anything more automated could run afoul of the high-to-low data flow scheme.

Should I leave the original KeepassXC (in the lower security day to day browsing Domain) in place

I personally also store commonly-used passwords in the browser’s password manager, inside the VM where it is used. Browser password auto-fill is extremely convenient. There is not much loss of security since if the browser is compromised, so is every password associated with that domain, whether all at once (in-browser password manager) or gradually as these (commonly-used) passwords are manually copy-pasted in from the vault.

Thanks for replying airelemental. Have just replied to Raphael and then saw your post. It does sound like at this point, I should just use the one vault. I did realize that copying the database up to a more secure domain wouldn’t normally be the wisest policy. Point taken. I only did it, as my Qubes installation is just a couple of days old and I had migrated my Keepass database over from my Linux Mint backup drive. It definitely won’t be my normal practice.
I’m still, at this point unclear if I am only to keep the database itself in the vault. Hoping to get that aspect sorted out. Also your view on keeping passwords in the Firefox password manager has me thinking. The reason I started using Keepass in the first place was so that I didn’t have to rely on a browser to securely hold my passwords. But now that I think about it, I guess for a VM which isn’t used for my financial dealings and the like, some passwords may be fine to keep in the browser. Thanks.

Do I use the shift-control-c and shift-control-v method each time I need to copy a username and password from a vault’s keepass program?

Yes. Highlight entry in keepassxc, ctrl-c, ctrl-shift-c, switch to AppVM, clt-shift-v, ctrl-v. (Maybe change the keybinding for ctrl-shift-c, ctrl-shift-v to something requiring fewer keystrokes.)

Or I have just thought, do I need to install the Keepass program in a VM’s template for use in the VM and only have the database itself in the vault?

Install keepassxc in the template that the vault VM is based on. Only need to run keepassxc in the vault.

Thanks so much! That had me really confused. I will give it a go in the morning and see how I make out. cheers

Mixed success. I’m very happy to report, that removing KeepassXC from my lower security domains and adding it to only my vault domain has worked. I’m successfully logged back into this forum using the
“Highlight entry in keepassxc, ctrl-c, ctrl-shift-c, switch to AppVM, clt-shift-v, ctrl-v” method. But is there a way to copy both the username and password in one step? I generally have very strong passwords, but in some instances I have usernames, which are specified by some sites, which I cannot change and are too long/too complex to remember and manually enter from memory. So I’m needing to do the 4-step copy and paste method above for first the username and then again for the password. Is there a way to copy and paste both at the same time? Thanks

As I mentioned, if it is a frequently-used login, you could save both username and password in the browser, avoiding all copy-pasting.

For a middle ground, you might be able to auto-fill just the account name in the browser, so you only have to copy-paste the password.

For Firefox, I guess you can save an account login with a dummy password.

1 Like

Thanks so much. I’d mark this thread solved, but I don’t see a way to do that yet. cheers

Hi @Qubesquark. This was under the category General Discussion. But only threads under User Support can be marked as solved. I’ve moved it there now. Feel free to mark the answer that helped the most as the solution. (or mesage me if you have any issue).

IMHO the cut’n’paste “solution” is IMHO not right, and it is wrong to advertise it.

KeepassXC has features to provide the credentials to a browser plugin, and to auomatically enter credentials for you in apps not featuring a keypass plugin. Going back to cut-n-paste is a clear regression for several reasons:

  • it is more tedious, thus error-prone, thus “paste into wrong window” happens every once in a while (possibly even “paste to wrong domain” but when you’re copying across domains you’re already supposed to know to be careful)
  • once you hit ctrl-shit-v OK your password is not in the Qubes clipboard any more, but it stays in your domain’s clipboard, where any X11 app from that domain can request it (try xsel -b -o if you want to see it with your own eyes).

Now we could argue that QubesOS allows you to separate apps by domain, and that any malicious app in a given domain already taints that domain, so avoiding the paste buffer and using a different channel would not do much, and could even give a false sense of security. But still, my first argument would remain.

Has anyone found a way or package that can program extra mouse buttons to handle the Qubes Clipboard copy/paste?

Hm, I have the feeling you want that just as much as a mouse shortcut calling sudo for you…
Specific shortcuts are there so you are aware of information going from one domain to another, moving this to mouse buttons is likely calling for trouble :slight_smile:

How is a button programmed ctrl + shift + c less secure than pressing ctrl + shift + c? Shortcut keys are currently available now in Qubes.

Well, don’t you think it’s easier to press a mouse button by mistake ?

It’s more about safety than about security, really.

Nope. Buttons on the side rarely gets used. They’re not in direct contact with the thumb and you have to reach and press them.

1 Like

You’re free to do your own risk assessment. I wouldn’t myself recommend doing that to anyone.

Although complete Qubes nebwie, I absolutely agree with this. So, is there a way to use KeePas from the vault, as for example I use it on my Windows host machine: I am in the virtualbox vm, I press let’s say Ctrl+Alt+A, Keepass from the host is called and offers a list of all the password defined for that vm window, I choose the desired entry by mouse and thus apply it to the vm window/form-in-it.
If not and considering that copy/pasting from higher security to a less security domain is recommended unlike vice versa, does it sound reasonable to suggest such an option exclusively for the vault cube to be developed? It is hard to imagine whole sequence CTRl+ALT+A and then mouse click unintentionally to happen. Also, not all forms are in browsers, thus not al of them offers roboforms - on the contrary.
Thanks in advance for your thoughts and suggestions.

Bump?