KeePass, OTP, and Themes

Updated 21-Sep-2023

Originally published 2018-09-06, updated 2022-09-05

My beloved KeepassX has not seen a release since 2016, but a newer fork entitled KeePassXC has. The latest version looks very much the same when viewed from LMDE3 with a dark theme. The added functionality is quite nice: A TOTP Seed and Code Generator.

For native theme support (under Debian), do:

sudo apt install qt5ct Restart/relogin Set preferences under Menu > Preferences > Qt5 Preferences > Appearance: Style = gtk2 Standard dialogs = GTK2 Palette = Default

Update 2020-07-29: This is still a great app and I use it daily. One small problem that recently emerged is that the latest version of KeePassXC 2.6 (and 2.6.1) has an issue (#5095) with the search bar not being visible (or accessible to ctrl+f) when text is included next to or under icons.

OTP / TOTP Seed + Generator

OTP in software (virtual device) is needed, and is the most convenient approach to having some kind of 2FA (two-factor authentication). This means not only a password but some other kind of evidence is needed. Sometimes this key is tied to a device (as in the case of the Google Authenticator). When not virtual, it is a dedicated hardware device (banks like to make you have their particular hardware device), though there can be multiple copies of the hardware device (as in multiple Yubikeys).

The problem with a single virtual device is the well-known issue of losing it (such as a phone that the software is kept on). Backups can be made of seed codes (QR Codes and/or the string that is represented).

Authy Apps, Synchronization, and Cloud Backup

Authy is the best (and free) solution, though it does have a third-party involved (namely their cloud backup/sync application). Other than that, it is a reasonable approach and beats out Google Authenticator, and the sheer add once, access across multiple apps is definitely a modern desire.

That said, if it were possible to have seeds in a more generic encrypted database with access to generated codes, that would be better (especially if multi-device, cross-platform).

Well that is exactly what KeePassXC and KeePass2Android support. This was a revelation for me.

KeePassXC Desktop Application

KeePassXC is a fork of a fork, most recently to spur the development of what was KeePassXC that had very slow development, and is now dormant. The ability to do OTP was originally a plugin for the original KeePass (which supports plugins). Now we have something with a built-in function, and also includes some enhancements from the older (and still serviceable) KeePassX, which unfortunately has 85 open pull requests in github (come on, give someone else ownership of this project, already).

OTP Seed and Settings for Desktop KeePassXC

  • Click on the Advanced tab
  • Create additional attributes:
    • TOTP Seed - (add in seed 8 groups of 4 characters)
    • TOTP Settings - 30;6

An alternate method is to read the docs.

Note: CTRL + T copies the TOTP code

Keepass2Android Mobile Application

The most serviceable Android Keepass2 implementation is the aptly named Keepass2Android, which is actively developed and available through the Google Play store. It too has OTP functionality, elegantly implemented.