Yes, that sounds like a bad idea for some reason. But when using KeePass, I would like to get my container on several machines without having to drag a USB-stick around.
So the aim is to upload the encrypted juicy password blob to the cloud.
For KeePass there are several options, I have chosen for KeeCloud, a plugin for KeePass.
It supports some extra protocols for KeePass's native synchronization feature. It adds support for:
- Amazon Simple Storage Service (S3)
- Azure Blob Storage
- Dropbox
In this post, we'll look at how you could set it up for Azure Blob Storage ... but the others will be quite similar.
Update: KeeCloud itself seems a bit stale and it doesn't work anymore with the latest versions of KeePass. However, there is somebody called Catscratch29 who picked up the repo on bitbucket and ensured compatibility with the latest KeyPass, hopefully they can keep that up! You can get it here: https://bitbucket.org/Catscratch29/keecloud.
Update: Ignore my previous update, KeeCloud is back up to date and works on Windows and Linux (with mono).
Installing the Plugin
I'm assuming you are already using KeePass with a local password file.
You can download the plugin from the website at bitbucket.org/devinmartin/keecloud/downloads.
- Download the latest version
- Unzip the file somewhere locally
- Copy the KeeCloud.plgx file to the directory where the KeePass executable sits
- Or a sub-directory
If you then start up KeePass and go to Tools > Plugins, you should see KeeCloud listed as an installed plugin.
Using Azure Blobs in KeeCloud
I'm going to use Azure Blobs myself, because I happen to have some Azure. If you don't have that I believe this storage would be very cheap, if it is only used for such small files. But there are some other (free) alternatives as well.
If you want to know on how to setup Azure Blob Storage for this, I'll explain this later in the post. For now, I'm assuming you already have an Azure Storage Account.
Now:
- Upload your password file manually to your Azure Blob Container
- The easiest way I know is using Azure Storage Explorer
- Find and remember:
- The "Storage Account Name"
- The "Container Name"
- The "Storage Account Key"
- The name of your Blob (i.e. the name of the file you uploaded ...)
See further down if you're not sure what this all means.
Syncing your blob
Now open up KeePass and when your "vault" is open, go to "File > Synchronize > Synchronize with URL" (Ctrl + Shift + R).
The you can fill in the following values:
- URL: azure://{container-name}/{blob-name}
- User name: {Storage Account Name}
- Password: {Storage Account Key}
- Remember: I suggest to remember user name only
- You can consider adding your Azure Storage Key to your passwords, since it'll be reasonably safe in your encrypted blob
- Whenever you sync, you can then first quickly copy the password from your safe
This should be enough to synchronize your passwords to your Azure Blob Storage.
Azure and Azure Blobs
So, on Azure, which is "Microsoft's Cloud Computing Platform" you can get many kinds of cloud services: Virtual Machines, Databases, ... but also just "storage". You can get the same thing on other Cloud providers, such as Amazon Web Services and Google Cloud. But I happen to have some Azure and not some of the other two.
One type of storage, and the cheapest I believe, is just to get a "Blob Container" up. A "blob" could be any kind of file, while a "container" is a place to put that blob "in the cloud".
If you're on Azure's portal (not the new preview one but the full portal), you can go to: "New > Storage > Quick Create" to create a new "Storage Account". If you are already doing stuff on Azure, you likely already have a Storage Account. If not, create one.
You must give it a name for the URL (something.core.windows.net) a location and what kind of replication you want. "Locally Redundant" is the cheapest. Then click "Create Storage Account".
You can then go to "Storage", then click on your new Storage Account and go to the "Containers" tab.
Click "Add" to create a new container, which is the place where you can store files in.
All you have to do is give it a name and declare it as Private or Public. In our case, it can be private.
Remember:
- The name of your Storage Account
- The name of your container
Creating a Blob With Azure Storage Explorer
Unfortunatly, KeePass and KeeCloud won't create a new Blob for you. This means you'll have to upload your KeePass file once to your container.
The easiest tool I found for that was Azure Storage Explorer.
Start it up and click "Add Account". It will ask you for your "Storage Account" name, which you should already know, and a "Storage Account Key".
You can find this key via the Azure Portal. Go to: "Storage", select your container and click "Manage Access Keys". You'll get a Primary and Secondary access key. Copy one into the Storage Explorer.
Once connected, navigate to your container and choose "Upload". Then upload your KeePass file, give it a name. This will be the name of your Blob.
Remember:
- The key of your Storage Account
- The name of your Blob.
Is it Expensive?
I would personally not get an Azure account only for this, I would think something like Dropbox is cheaper, unless you really really don't trust dropbox of course. Support for SpiderOak is on the wishlist. So if you don't know what to do this weekend, write support for that.
But to the point: from what I see in the pricing calculator, if you were to store 25GB of Locally Redundant blob data and have 1 GB of traffic a month, you'd be paying 0.48 euro / month (0,45 for the storage, 0,03 for the bandwidth).
That is not much. And a password file is not 25GB but only a few KB, so I would expect you'd be paying a lot less than that ...
Is it Safe?
I'm going to assume it is, obviously KeePass and KeeCloud have access to your blob as does Azure, but the blob is sent as an encrypted blob to Azure, over an encrypted connection (SSL). It is of course less safe than not sending your blob to some external service.
Conslusion
If you have Azure, Dropbox or Amazon for storage, setting up the KeeCloud plugin to synchronize your password file is seemlessly possible with KeePass. Always consider how much trust you put in your cloud storage, and of course make sure your master password is very strong.
