If an AI apocalypse was to occur, would your KeePass setup be in jeopardy?

In Keepass, you have three things that you need to hold on for dear life: a, database, a password, and an optional keyfile. What do you do to ensure you always have these three things and at the same time ensure that no one can get a hold of it?

Here’s my keepass setup. I’m curious about your thoughts on my setup and on how I can improve it.

Cloud
- Gmail 1 Google Drive: holds database
- Gmail 2 Google Drive: holds key file

Hard Drive
- Computer: holds database (leave at home)

- USB 1: holds database  (always have with me)
- USB 2: holds key (leave at home)
- USB 3: holds key (always have with me)
- USB 4: holds Gmail 1 id, Gmail 2 id, and master password (leave at home)
- USB 5: holds Gmail 1 id, Gmail 2 id, and master password (always have with me)

Paper
- Paper1: Gmail 1 id, Gmail 2 id, and master password (leave at home)
- Paper2: Gmail 1 id, Gmail 2 id, and master password (always have with me)

If i’m right keepass encrypt your database so no one can access it except password owner (you, at least until someone else get that password) so do not worry its encrypted and you can store it on services like trutl or inside bitwarden or encrypt it one more time with GPG and upload it into google drive or mega.nz

Your database is “secure” if it is encrypted with a long secret password. If you decrypt it, it becomes easier to access its content. So it is more important to access your database on trustworthy systems.

If you use a long password here, you get good security. However, it is important to enter your password on trustworthy systems only, in trustworthy environments only, and you have to store it in a secure way.

A key file is just another file on a computer. So it can be copied or modified. An attacker could delete/modify this file, so you lose access to your database. An attacker can also copy this file, so there is not much protection here. It is more “security through obscurity”, because you hope that an attacker doesn’t find the correct file. It is important to keep this file in a protected environment, and to use it only on a trustworthy system.


In summary, it is more important to care about the security of the operating system than about the security of KeePass. Use your setup only on a trustworthy system, store your master secret in a secure way, and your key file on another medium (e.g., external flash drive, read-only access).

Finally, you can also configure challenge-response authentication and use a YubiKey. This is more secure than using a key file.

1 Like

Keeping the key-file on a USB to use it only when you need to open the database would be a good way to implement the key-file thing?
Can you configure nitrokey for keepass?

Would that be a replacement for the keyfile only ? Or for the master password as well ?

Isn’t it quite risky to add a keyfile to Kee Pass authentication ? After all, if it gets corrupted, you’re locked out. So you now need to make multiple backups of that file, ensure that they can’t be lost, etc.

1 Like

You probably could use it to replace key file AND master password. However, in this case everything depends on your security token with its pros and cons.

Yes, as mentioned in the first reply. A key file could be modified, and then you will be unable to log in. The same is likely true if you use “Windows account” for authentication (this was not included in our first answer).

1 Like

The risk of accidentally modifying the file remains. There is also the risk of losing the USB flash drive, or corrupting its memory somehow.

Good question. Currently, we don’t have a Nitrokey for testing. You could ask here: https://support.nitrokey.com/c/nitrokey-support