Skip to content

Opening KeePass securely and automatically in KDE

So I use KeePass a lot as my password manager. Why you should use a password manager is a little beyond this post, but it’s a great way to securely store individual passwords for every use you have, so you can use more secure passwords that you’ll never remember, and when one password is compromised, the other accounts you have remain secure.

Keepass works good in Ubuntu Linux using the Mono library, and it also works with Android, windows, which I need. There is a KeePassX project for a native port, but the normal version works well enough for me.

So when I logged into KDE4 I would have to type in my Kwallet password (kwallet is the password manager built into KDE – if anyone builds a plugin to read Keepass files, I will send you money) so I could connect to the WIFI, then I would have to type in the master password for KeePass, and then occasionally KOrganizer will ask for my gmail password to sync the calendar.

This sucks, so I wrote a quick little script to store my KeePass master password in Kwallet, and when KDE starts, retrieve it and start KeePass automatically from the file in my Dropbox folder.

#!/bin/bash
# startup keepass with a password from KWallet
walletkey=$(/usr/bin/kwalletcli -f Passwords \
-e KeePass)

#open Keepass
mono /opt/KeePass2/KeePass.exe --lock &

#give keepass enough time to actually open, otherwise results are inconsistent
sleep 3

# Tell keypass to open your password database
mono /opt/KeePass2/KeePass.exe \ "/home/user/Dropbox/keepass/passwords.kdbx" \ -pw:$walletkey

Then save this script somewhere (I put it in /usr/local/bin/) and then go into Settings -> startup/shutdown and tag it as a script to start when you log into KDE.

…So now I just log in, type in my Kwallet password, and KeePass opens as well.

 EDIT – 2015-04-06

Thanks to everyone who commented below with their ideas on improving this script. As mentioned, there’s a security issue with this script, which can be reduced by not using the password directly on the comment line. There are two methods below, YMMV, but I ended up with this hybrid:

#!/bin/bash
# startup keepass with a password from KWallet
walletkey=$(/usr/bin/kwalletcli -f Passwords -e KeePass)
dbpath="/home/user/Dropbox/keepass/passwords.kdbx"
echo "$walletkey" | mono /opt/KeePass2/KeePass.exe $dbpath \ 
--pw-stdin

This works really well, and the password is only available briefly, really reducing the ease at which it can be sniffed. Still not 100%, but security is always a tradeoff between ease of use and effectiveness. Thanks for everyone’s help!

Like or share:
Published inSystem AdminTechnology

12 Comments

  1. Kevin Kevin

    Strong work. Thank you. Any luck with getting Keepass integrated into KDE? I have to move between multiple PCs and multiple OSs, so having a truly platform agnostic solution would be fine…

    • micah micah

      Not yet. I did notice a problem with this setup – the keepass password is listed in the process list because it’s passed on the command line. I don’t have a solution for this yet, but I’ll keep at it. You’re right though, keepass is the best cross-platform solution out there. KDE should really support the format.

      Maybe this could be my entry into C++ programming.

  2. First, thank you for this trick. It works very nicely.

    Just a remark about security issues with this approach. When doing this, your master password is readable by anyone logged in the same machine. The vilain juste have to issue a “ps -edag | grep Pass” in order to grab your password. This is not really a problem if you are alone on your machine but I thought it worth the disclamer 🙂

    About KDE integration (or kind of), keepassX 2.0 (still in alpha but really usable) is well integrated with this desktop. And to speak about this post, it have the –password argument that is missing in older.

    • micah micah

      Right, I noted this security issue above.

      My problem with KeePassX is that it currently only supports 1.x style keepass databases, and more importantly, none of the browser plugins are supported. If it had http query capability like keepasshttp, I’d move over in a second.

      Thanks for the note about -password. Good to know.

      • bugzy bugzy

        This is useful. Thanks much.
        Note: KeepassX 2alpha supports Keepass 2.x db format.

  3. joh6nn joh6nn

    thanks for this post, i’ve been trying to figure out a good way to do this for a while now.

    you can work-around the issue where the password is visible on the cli by first opening keepass, and then opening your password dbs, like this:


    walletkey=$(/usr/bin/kwalletcli -f Passwords \
    -e KeePass)

    mono /opt/KeePass2/KeePass.exe --lock &
    #give keepass enough time to actually open, otherwise results are inconsistent
    sleep 3

    mono /opt/KeePass2/KeePass.exe \
    "/home/user/Dropbox/keepass/passwords.kdbx" \
    -pw:$walletkey

    this way, the process that contains the password on the cli is very short-lived. theoretically still possible for someone to sniff the password under these circumstances, but it would require a much more concerted effort. in my testing, opening multiple databases required sleeping between each one, ymmv

    • micah micah

      Great idea with the command after opening. Thanks! I’ll update my script.

  4. semkath semkath

    Thanks for this post! I took your script and modified it for my purposes. I came up with the following:

    #!/bin/bash

    APPID="KeePass Integration"
    DBPATH="/home/user/passwords.kdbx"

    handle=$(qdbus org.kde.kwalletd /modules/kwalletd org.kde.KWallet.open kdewallet 0 "$APPID")

    if [[ $(qdbus org.kde.kwalletd /modules/kwalletd org.kde.KWallet.isOpen kdewallet) == true ]]; then
    masterpw=$(qdbus org.kde.kwalletd /modules/kwalletd org.kde.KWallet.readPassword "$handle" "Passwords" "keepass_master" "$APPID")
    echo "$masterpw" | keepass "$DBPATH" --pw-stdin --minimize
    fi

    exit 0

    This gets rid of stating the password on the commandline and passes it via stdin instead. Also, I removed the dependency on kwalletcli. I’m using dbus calls via qdbus instead 🙂 If anyone wants to use this script, don’t forget to modify DBPATH to point to your KeePass database!

    • micah micah

      This is great! Thank you!

  5. Jack Thomasson Jack Thomasson

    use bash NOWDOC to hide password.keepass -pw-stdin <<< “$password”

  6. malevolent malevolent

    Just my two cents. If you are concerned about your privacy, you shoud use ownCloud instead dropbox 😉

    • micah micah

      I moved to Google Drive. ahaha.

Leave a Reply

Your email address will not be published. Required fields are marked *