I am using KeePassXC on my laptop, mobile and on my desktop. While I like that I have to re-enter the masterpassword on my laptop, or validate with my fingerprint on mobile, I find it super annoying that I have to re-enter the master-password on my desktop every day.
Is there a way to start KeePassXC with a bash script on boot and enter the password automatically?
I found a similar questione for KeePassX here but its from 2014 and I don't understand the answer.
You can give a password to KeePassXC through standard input on the command line with the option --pw-stdin. Thus, in a most simple way, you can automatically open a KeePassXC database with a command like:
echo <yourpassword> | keepassxc --pw-stdin <path-to-your-database>.kdbx
This compromises security quite seriously compared to entering the password on opening directly, because your password is stored unencrypted in a file on your system.
A more secure option is to use another password vault, such as Gnome Keyring (Source). Your password is stored in an unreadable form, and one needs to be logged in as your user to be able to open KeePassXC or read the password.
You will need to install libsecret-tools for this to work.
First you need to store the KeePassXC password in the Gnome keyring. You can do this with the "Passwords and Keys" tool or with the command:
secret-tool store --label="KeePass <database_name>" keepass <database_name>
Next to a label, you are providing an attribute (here we choose "keepass") and a value (you can use the name of your database (<database_name>) or another string that should not contain spaces).
After login, you can then launch and unlock KeePassXC with the command
secret-tool lookup keepass <database_name> | keepassxc --pw-stdin <path-to-your-database>.kbdx
This option remains significantly less secure than supplying the password yourself while using KeepPassXC, but the well informed user should have the freedom to make the balance between security and convenience.
Two years old I know.
Heed the security implications, if you simply prefer to have locally stored passwords and have no other persons accessing the computer then this should be just fine. Otherwise, you may prefer to look into getting a yubikey.
I have no experience of them, though I have looked into them and they are used for authentication, which is what you want to do. KeePassXC supports the use of a Yubikey.
With that said, I have a solution to the issue in the comments about the terminal hanging. The following is a little bash script.
Crack open your terminal.
touch KeePassLogin && chmod +x KeePassLogin && nano KeePassLogin
Enter the code following :
#!/bin/bash
secret-tool lookup keepass Passwords | keepassxc --pw-stdin ~/Secured/Passwords.kdbx & sleep 3 ; echo ''
The echo functions as the enter key would. If you are not familiar with nano, ctrl + x and then enter will save the file after you have made the changes.
Added a delay because it appears that the password prompt doesn't always appear in time for the echo. You can try a smaller sleep time if three seconds is too long for you.
Once you are back at the terminal prompt:
./KeePassLogin
You could now add a new startup application with "/path/to/keePassLogin" as the command.
Update I got to thinking about this, the security implications mainly, and with Yubikey coming to mind I chose to implement a little "security minded" addition.
I moved the keepassxc database onto a USB drive. and implemented this.
#!/bin/bash
File: KeepassLogin check if specific security key is mounted.
while [ -z "$mnt" ]; do
mnt=$(lsblk --output MOUNTPOINT | grep securityKey)
if [[ $mnt != "" ]]; then
secret-tool lookup keepass Passwords | keepassxc --pw-stdin $mnt/KeePassXC.kdbx > /dev/null 2>&1 &
sleep 2
echo "" > /dev/null 2>&1
fi
sleep 5
done
exit
Add a startup application to run the file (browse to the file in the startup application gui).
So what this does briefly, at login keepasslogin is set running. it will run every 5 seconds, you can adjust as you see fit, maybe 60 seconds suits you. a loop run until it finds the usb device (lsblk line) I named it securityKey to make it easy to identify. change that to the label of your usbstick.
I have also sent the outputs to /dev/null. so if you do run the script manually, say from a keyboard shortcut then you don't get the unnecessary output in the terminal.
So while its not really a security feature, it's more secure than a database stored on the computer. You could have the database on your person and plug it in as and when needed.
So, it's not a Yubikey, but the idea is in a similar fashion.
