I wanted to switch to KeePassXC and I wanted to download it on a encrypted USB drive for portability. I know I can do this on Windows, but will the password manager work on other OSes? I switch between Windows and Linux, and I want to make sure that I can do it on both. I read an online article that says its possible, but you need to make sure you have a certain file on the drive for it to work?
I use a synced kbdx file on Linux (keepass-xc) and Android (KeePassDX) daily with the same keepass file. It handles all my logins, TOTP, passwords, passkeys no problem. I synchronize it using syncthing. When the two machines are on the same WiFi (or on a meshed VPN like tailscale) and can talk to each other, they sync freely.
I know someone who has it set up the same way who also uses Windows in the mix.
I haven’t checked the code, but it seems the writes the file is not actively being held open for reading and writing, with constant updates happening, updates appear to be transactional. I’ve only ended up with two sync errors in 3 years of daily syncing and I was able to merge the two files with the keepass-xc cli merge options.
The key distinction here is the program keepass-xc is not keepass the standard, just a program for reading the kbdx vault. A really good, externally audited, well coded, security first program for reading the vault!
If you’re concerned about the sync, it might be worth checking out how the original program expects DB sync to be done.
If you’re concerned about the manager working across os’s, don’t be. The primary use case, in the browser, is cross-platform by way be being a browser add-on. The brains of the operation are bundled in the keepass-xc app as a local server that only gets enabled when you switch on browser integration in the manager. The browser add-on sends web addresses to that server, and then the manager looks up the response, and sends back the correct credential. This interchange is encrypted during the pairing process.
On Android, KeePassDX hooks in to the built-in passwords, passkeys, and accounts ‘preferred service’ and offers password autofill in the keyboard suggestions bar, and comes with a credential-fill keyboard you can switch to on the fly if needed. It also saves passwords in normal apps, by storing the app id in the credential under a custom field ‘AndroidApp’ to help narrow down hinting. E.g. com.hjiansu.thunder for my Lemmy app, or com.android.settings for WiFi SSIDs and PSKs.
Doesn’t saving a password and TOTP in the same file kind of bypass the entire point of MFA?
Yes, technically. As always, it depends on your threat model.
They suggest a separation of TOTP and the rest in two different files
I’ll keep that all in mind. Thank you.