is a plugin for KeePass and provides a secure means of exposing KeePass entries via HTTP for clients to consume.
This plugin is primarily intended for use with PassIFox for Mozilla Firefox and chromeIPass for Google Chrome.
- returns all matching entries for a given URL
- updates entries
- secure exchange of entries
- notifies user if entries are delivered
- user can allow or deny access to single entries
- works only if the database is unlocked
- request for unlocking the database if it is locked while connecting
- searches in all opened databases (if user activates this feature)
- Whenever events occur, the user is prompted either by tray notification or requesting interaction (allow/deny/remember).
- Download KeePassHttp
- Copy it into the KeePass directory
- On linux systems you maybe need to install mono-complete:
$ apt-get install mono-complete
- Restart KeePass
- KeePass 2.17 or higher
- For Windows: Windows XP SP3 or higher
- For Linux: installed mono
- For Mac: installed mono | it seems to fully support KeePassHttp, but we cannot test it
KeePassHttp works out-of-the-box. You don't have to explicitely configure it.
- KeePassHttp stores shared AES encryption keys in "KeePassHttp Settings" in the root group of a password database.
- Password entries saved by KeePassHttp are stored in a new group named "KeePassHttp Passwords" within the password database.
- Remembered Allow/Deny settings are stored as JSON in custom string fields within the individual password entry in the database.
You can open the options dialog with menu: Tools > KeePassHttp Options...
The options dialog will appear:
- show a notification balloon whenever entries are delivered to the inquirer.
- returns only the best matching entries for the given url, otherwise all entries for a domain are send
- e.g. of two entries with the URLs http://example.org and http://example.org/, only the second one will returned if the requested URL is http://example.org/index.html
- if the active database in KeePass is locked, KeePassHttp sends a request to unlock the database. Now KeePass opens and the user has to enter the master password to unlock the database. Otherwise KeePassHttp tells the inquirer that the database is closed.
- KeePassHttp no longer asks for permissions to retrieve entries, it always allows the access.
- KeePassHttp no longer asks for permission to update an entry, it always allows updating them.
- Searching for entries is no longer restricted to the current active database in KeePass but is extended to all opened databases!
- Important: Even if another database is not connected with the inquirer, KeePassHttp will search and retrieve entries of all opened databases if the active one is connected to KeePassHttp!
- Removes all shared encryption-keys which are stored in the currently selected database. Every inquirer has to reauthenticate.
- Removes all stored permissions in the entries of the currently selected database.
If an error occures it will be shown as notification in system tray or as messagebox in KeePass.
If you are having problems with KeePassHttp, please tell us which versions of
- KeePass
- KeePassHttp
- error message (if availbale)
- clients
you are using.
For security reasons KeePassHttp communicates only with the symmetric-key algorithm AES. The entries are crypted with a 256bit AES key.
There is one single point where someone else will be able to steal the encryption keys. If a new client has to connect to KeePassHttp, the encryption key is generated and send to KeyPassHttp via an unencrypted connection.
If you want to develop new features or improve existing ones here is a way to build it at your own:
- copy the file Newtonsoft.Json.dll into the sourcecode folder
- delete the directory "bin" from sourcecode
- delete the directory "obj" from sourcecode
- delete the file "KeePassHttp.dll"
I use the following batch code to automatically do steps 2 - 4:
RD /S /Q C:\full-path-to-keepasshttp-source\bin
RD /S /Q C:\full-path-to-keepasshttp-source\obj
DEL C:\full-path-to-keepasshttp-source\KeePassHttp.dll
"C:\Program Files (x86)\KeePass Password Safe 2\keepass.exe" --plgx-create C:\full-path-to-keepasshttp-source
This is the only point at which an administrator snooping traffic will be able to steal encryption keys:
- client sends "test-associate" with payload to server
- server sends fail response to client (cannot decrypt)
- client sends "associate" with 256bit AES key and payload to server
- server decrypts payload with provided key and prompts user to save
- server saves key into "KeePassHttpSettings":"AES key: label"
- client saves label/key into local password storage
(1) can be skipped if client does not have a key configured
- client sends "test-associate" with label+encrypted payload to server
- server verifies payload and responds with success to client
- client sends any of "get-logins-count", "get-logins", "set-login" using the previously negotiated key in (A)
- if any subsequent request fails, it is necessary to "test-associate" again