What do you use for syncing your password manager between your Android phone and your PC? Apparently Nextcloud doesn’t support two-way syncing on Android for some reason, and Syncthing-Fork is still untrustworthy since the disastrous handover. The AI generated profile picture of researchxxl doesn’t exactly inspire confidence either, neither does his GitHub bio:
Hi! My name is Jonas and I like to use my coding skills from games and modding to continue work on the Syncthing for Android wrapper.
Everything about this person screams vibe coder.
Bitwarden is an alternative, but I don’t like how non-standard it is. It’s cumbersome to manage and backup, meanwhile the KeePass format is just a file that I can backup wherever and however I want and there are many frontends to choose from.
Have you solved this?
Vaultwarden
Vaultwarden, no question. When I used KeePass, I had Synology Drive which worked well to sync.
@clifmo @versionc not on android but vaultwarden syncs across basically everything. Mac, Linux, Windows, ios, and should hit the bitwarden app and extensions on android too. my only extras catch is I put it behind my tailnet. so I have to have the device on it to see it. Though if you are trying to stay away from bitwarden/vaultwarden I’m not sure.
Works perfectly on android. Push notifications, sync, passkeys, everything
Vaultwarden handles the syncing for me.
However I do export backups on both my phone and laptop just in case.
Do you do it manually into e.g. protected json, or to a normal zip (the former doesn’t support attachments as far as I know)? Or have you found a way to do it automatically? One con that I’ve read about this is that backups from one version is not guaranteed to work on another version. Thanks.
Well with Vaultwarden any synced device is a complete backup. So you don’t need to worry about version issues.
In the event of a server fail, can you export from any device?
Yes, but do not log out. If you do, you can’t log back in, and you can’t export. I’m paranoid so I still back up my encrypted db to cloud on a schedule.
Bitwarden.
Paid. Not because I need the added paid features, but because I value it and want to show my appreciation for the developers.
Paid bitwarden.
I use Bitwarden too. I now use the paid version (which is incredibly cheap) but I was able to sync between Android and PC without the paid for version iirc
The only (known to me) perk of the paid version is the encrypted storage (and probably the org feature).
So yeah. I see it more of a donation/appreciation than a service fee.
But the recent peice increase stung a bit.Paid also helps if you share passwords with multiple people.
I use Vaultwarden. Each synced device is a backup, so there’s no real need to keep anything further than that, but I do keep one backup of the server files anyway.
Yeah, that’s a good point. There are still a few cons though:
- If the server goes down (or your internet connection goes down), you can’t add entries to your database. Local changes aren’t allowed.
- Bitwarden doesn’t support supplementing your passphrase with a key file.
- The Bitwarden clients aren’t enitrely FOSS as far as I understand, the SDK used has a non-free license.
There are pros and cons in both alternatives, and there is unfortunately not a perfect solution. I like the idea and philosophy behind the KeePass format, so the increase in syncing complexity is worth it (for now at least).
It’s true re adding passwords while the server is offline, but my server runs 24x7 and it’s never down for more than a few minutes. If it goes down, I fix it. I also backup the encrypted DB regularly to cloud, so there is little risk of data loss. I am a very satisfied Vaultwarden user. Especially because it allows password sharing with my family. Everyone has an account.
Vaultwarden with the Bitwarden Android app and browser extension for my desktop. I already have a solid system for backing up the important data for all my docker containers. As soon as I added it, it was automatically added to that process.
My spouse has an account so if I die she can gain access to my passwords with a simple request. That’s function is important to me.
My exact answer as well. Saved me some typing - thanks :)
On Android I use KeePassDx Syncthing-Fork. The handover was rough but the maintainer of the Play version joined researchxxl’s team. Many on the Syncthing forum seem to have accepted research which is good enough for me. Also, KeePass’s database in encrypted so no danger there.
Do you store TOTP in a seperate KeePass?
For me swappog between two Keepass DBs is annoying. I can’t find anything that will sync my 2FAs.
I don’t. Kinda seems silly to me.
To access a keepass file you already need 2 factors: the master password and access to the file.
Its not really 2 factors if it’s stored in the same DB though.
I came from Bitwarden where the community recommendation was to not store passwords and 2FA together in the cloud. If a beach orccurs and you lose both then there wasn’t a point in having the 2FA.
Less of a risk with a local solution but still not sure.
Yes, it is two factor, it’s just that there is no additional factors required to get the TOTP.
If you don’t use a password manager then you just remember your passwords. In this case the second factor is having access to a device that has your TOTP generator.
If you use keepass then you remember the password for your password db, and to access your passwords or TOTP you need access to a device with your keepass db.
If u have 2fa in the same database u can login on devices you don’t trust. E.g. a coworkers computer/public computer in library.
Yeah. So that seems to remove the 2 from 2FA…
Well yes, but no. If you only operate your password store on devices you trust, then even typing in your password on a device with a keylogger active, won’t compromise your account since you have the 2nd factor (e.g. the TOTPs)
Keepass + syncthing = win
If you’re using a keepass database, Keepass2Android can natively sync with many cloud options including self hosted and generic ones, even without specific “companion” apps. That’s what I use. In my case, it’s backed by my NextCloud, but it used to be Google drive before.
Just also sync the file on your PC, merging changes from different clients is part of the keepass database format and “just works”.
Also VaultWarden works great if your can self host it, but I prefer keepass for a variety of features and integrations.
KeePass2Android is a fantastic project. I’ve been using it for 10+ years on my Android devices. Every once in a while I’ll try a different variant, like KeePassDX, but I always return to the spartan look of KP2A. It “just works”, with no extra fluff.
merging changes from different clients is part of the keepass database format and “just works”.
This is the best thing about KeePass in general.
bitwarden
seems odd you say how cumbersome it is to manage and backup (not an issue I’ve faced though) and yet you are using some cumbersome alternative ?
Personally, I use Keepass with syncthing and it works fine enough. If you don’t really trust the new person behind Syncthing-Fork, you could always install the older version before the handover (I think before v3.4?).
If you really don’t trust syncthing at all, you could just manually back it up. New passwords aren’t made every day, so you could just copy the passwords database over between your devices whenever there’s a change. That’s what I did before I heard about syncthing, and is what I do with my music still, since I don’t regularly update what music I listen to.
KeepassXC and Nextcloud. Been working fine for years.
Same setup here. Worked for years and I’ve no plans to switch. As long as Nextcloud is up, bidirectional editing is simple. Trouble comes when one of the clients edited the KeePass file and can’t sync.
I’ve had that happen though rarely. In those cases it’s been easy to manually merge the one or two entries if necessary.
Syncthing-Fork is still untrustworthy since the disastrous handover
Maybe I’m OOTL on this?
I thought everyone concluded that it was poorly communicated but ultimately no indication of any foul play.
Correct.
That conversation has finished, the dust has settled and syncthing-fork is fine.
I use KeepassDX syncing via Nextcloud, works flawlessly. I also used to use Keepass2Android, also works very well.
Can you elaborate on the “nextcloud doesn’t support 2-way syncing on android” statement? I can sync my Keepass database back and forth without issues.
I am also using KeepassDX and Nextcloud. I’ve had this setup for years and never had an issue with syncing.
I’m talking about this issue: https://github.com/nextcloud/android/issues/19
I see where you’re coming from. I also really wanted that in my early days of android and nextcloud. Turns out, nowadays you don’t really need that for most use cases, and definitely not for KeePass syncing. Nextcloud app for android exposes all the files via content framework and KeePassDX can sync two ways via that. Other apps like Keepass2Android even have direct nextcloud support via WebDAV, though these days I prefer KeePassDX a little bit more for unrelated reasons.
I recommend you try either KeePassDX or Keepass2Android and see for yourself.
Also, most file managers support CF and will show you your nextcloud files as if they were real files on the device, even without “real” two way sync, and most other apps will be able to save & open files directly from nextcloud.
I’m currently using KeePassDX and I’ve set up the Nextcloud server and downloaded the Android app. I’ll give it another shot. Can you explain more how you’ve set this up for yourself? What does CF mean, and what file manager do you recommend?
Thanks!
CF = content framework, android somehow decided that users shall not see and interact with “real” files and instead, have apps like nextcloud act like content providers and expose a file-like API …whatever, it is what it is, but in the end it works.
I’m currently using Material Files, but even android’s default file manager, bundled with the OS, shows Nextcloud in the left sidebar (your mileage may vary on this one, as each phone vendor tend to customize it a bit).
As for my setup, there’s really not much to it: I selfhost nextcloud, have KeePassDX and the Nextcloud app, and when you setup KeePassDX, select “Open existing vault” and in the sidebar you should be able to select Nextcloud and pick files from there.
Note: For Material files, and most file managers really, nextcloud might not show up by default (“security” or something), but you can “add external storage” and give it permissions.
I managed to get it up and running now, thank you! It wasn’t intuitive at all, compared to using nextcloud-client on the desktop. I’ll try this for a while and see if it works for me.
Glad to help!
Yeah, self-hosting often means trading more control for less convenience, some times more than others. Either way, I hope this setup works for you!
I’ve run into this issue with obsidian, but for whatever reason I haven’t had any issues with keepassdx.
When opening an existing keepass vault, on the left there’s an “Open From” pullout menu. You should be able to select your nextcloud from there. Then find your keepass file and it’ll just work.
I don’t know why, but obsidian doesn’t have the same file picker. There’s no “open from” menu. So you just have to drill into the filesystem, find the folder nextcloud is using, and choose your notes vault you’ve sync’ed in there. And for whatever reason, that seems to be the method that breaks Two-Way Sync.
