Updating KeepassXC database


I would be curious to know how those who have been using the OS for a longer period of time manage to update their keepass database. I guess most of them store it in a VM like the default Vault VM, which has no internet connection. But what if I want to use the database on multiple devices, like say on an android phone. So far, I have solved this by having my nas as a “centre” where I stored the database, which I connected to with sshfs on linux and sftp on android to the nas in the Keepass2Android app.

I was thinking of creating an AppVM where only my internal network would be enabled, and update the database from that AppVM to VaultVM and vice versa. I know that there has been a lot of talk on the forums about copying from a less secure VM to a high secure VM is not recommended, still i’m intrested what do you think about this idea?

Thank you for all the comments on the article!

1 Like

Wouldn’t you need to connect the Vault VM to sys-net for accessing the NAS or local network?

I think it is unadvised to connect the Vault to any network directly.

A scheduled qvm-copy-to-vm command is what I use. From there you can configure your destVM firewall to only access an E2EE sync/cloud service online and push it there via cron. In this way you can at least create files retrievable from any device.

The sync part in this isn’t quite there with this implementation, since making changes to the database on another device would have you transfer the file back to the Vault VM, which is something I currently don’t do myself. It’s worth considering at least.


Could you explain it a little bit with more details? I was thinking about something like that, at least i thought exactly to the qvm-copy-to-vm command, but i’m not sure how to use it.

Contents of:
/etc/qubes-rpc/policy/qubes.FileCopy AND/OR

Vault AppVM allow

Both files are mentioned in the docs, you can figure out which of them was the correct one. Doesn’t hurt to create both files.

from your Vault: qvm-copy-to-vm AppVM database.kdbx
After modifying the files above you shouldn’t get a pop-up.
Now just put that in a cron and you’re good to go. qvm-copy won’t overwrite files, so make a unique file name each time by appending e.g. date in the file name.

Thread below is long, but that’s the one that helped me with this:

1 Like

Thanks for the info! I will read it through!

maybe this post will open your mind Partitioning my digital life into security domains | The Invisible Things