Uploading KeePassXC database online

I currently use KeePassXC as my password manager, and lately I’ve noticed how dependent I am on my database (if lost, it would take a lot of time to reset all the passwords, some of them I’m not even sure I can do that).

I already have copies in other flash drives, but I wanted to know how secure would it be to upload a database to the cloud (it would probably be Nextcloud, but let’s assume I don’t trust my provider, which I do, but the passwords are not worth the risk).

I currently have it set up as KDBX 4.0 and a 5 second decryption time (which I also don’t really know what it means so explanation on that would be much appreciated, although it is not the main question).

Another option is encrypting it with VeraCrypt before uploading it, so the server doesn’t know there is actually a KDBX file in there and also there would be the added encryption. Would that be a better alternative?

1 Like

you can use cryptomator or veracrypt for upload your database. i think both programs are valid.

1 Like

All right, decryption time is time needed for your computer to compute key transformations (you hash/encrypt your key more than once) and that is protection used against dictionary attack so hacker will need more time by that delay to break your password. This is important but much greater deal is how your master password is strong, make it long and with some special characters. You can edit more options when you select “advanced settings” in encryption settings such as encryption type (math behind making your database look like random gibberish) and key derivation (make it Argon2 since its best against GPU hashing attacks) also make transform rounds a little larger than what is default. I don’t see reason for using cryptomator to encrypt already encrypted database since KeePassXC make sure that with their encryption you can store your database with no other security precautions. Master password is the key, make it as stronger as possible. More here.

1 Like

It depends on your cloud provider : whether it is end-to-end encrypted or not, with encryption taking place on your side, and the provider having no ability to decrypt your files. As far as I know, encryption is not enabled by default on Nextcloud.

Mind the name of the file, which, in some situations, might be visible by the cloud provider (not a good idea, if it’s explicit).

If you use a non encrypted provider, then I would say it’s better to double-encrypt yourself before uploading. In theory, a Kee Pass database is encrypted by itself, but dropping such a critical file out in the wild with only one level of protection…

For this, you could use Vera Crypt, Cryptomator or even 7- Zip with encryption.

If you use an encrypted cloud such as Tresorit or pCloud, you already have two levels of encryption, which, in theory, are under your control.

As an alternative to an encrypted cloud provider, you could choose a distributed, P2P storage system such as Resilio, where your file is split up in little bits and stored encrypted on other users’ computers. Or, Syncthing, which syncs with whatever devices you want through the Internet (open source). So, no central server with the associated hacking or snooping worries.

1 Like

keep your passwords offline, encryption implementation flaws we might not even find until later.

I recommend the 123 rule we IT guys follow: 3 backups, 2 local, 1 remote.

Yeah, it’s number three I don’t currently do…

By the way, can you confirm that in practice, backing up the system as an image is not doable remotely, because of the huge amount of time it would take to download and restore ?

Isn’t remote backup really only for the case you need to restore some critical files or folders, for the same reason ?

Unless your office has burned to the ground, and then you will need some time to recover anyway…