Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
KeePass plugin to expose password entries securely (256bit AES/CBC) over HTTP
branch: master

This branch is 119 commits behind pfn:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
KeePassHttp
test
.gitattributes
.gitignore
KeePassHttp.plgx
KeePassHttp.sln
README

README

KeePassHttp plugin for KeePass

Provides a secure means of exposing KeePass entries via HTTP for clients to
consume.

This plugin is primarily intended for use with PassIFox and ChromeIPass
    - https://github.com/pfn/passifox
    - https://github.com/pfn/passifox/raw/master/passifox.xpi (save as)
    - alternate download link https://passifox.appspot.com/passifox.xpi

Mono users:
    1) Download KeePassHttp.dll and Newtonsoft.Json.dll
    2) Copy into KeePass directory
    3) You now have KeePassHttp working on Mono (Linux and Mac)

Prereqs:
    1) KeePass
    2) Newtonsoft.Json (bundled 3.5r8)

Build:
    1) msbuild
    or
    1) C:\Full\Path\To\keepass.exe --plgx-create C:\Full\Path\To\KeePassHttp

Pre-built:
    - https://github.com/pfn/keepasshttp/raw/master/KeePassHttp.plgx (save as)
    - alternate download link https://passifox.appspot.com/KeePassHttp.plgx

Install:
    1) Copy KeePassHttp.plgx to C:\Path\To\KeePass.exe\Dir

Configuration:
    a) No explicit configuration is necessary
    b) KeePassHttp stores shared AES encryption keys in
       \"KeePassHttp Settings" in the password database
    c) Password entries saved by KeePassHttp are stored in
       \"KeePassHttp Passwords" within the password database,
       feel free to move them from here or delete the group
    d) Remembered Allow/Deny settings are stored in custom
       JSON string fields within the individual password
       entry in the database

    1) Whenever events occur, the user is prompted either by tray
       notification, or requesting interaction (accept/deny/remember)

Protocol:
    1) New client or stale client (key not in database).  This is the only
       point at which an administrator snooping traffic will be able to
       steal encryption keys:

       a) client sends "test-associate" with payload to server
       b) server sends fail response to client (cannot decrypt)
       c) client sends "associate" with 256bit AES key and payload to server
       d) server decrypts payload with provided key and prompts user to save
       e) server saves key into "KeePassHttpSettings":"AES key: label"
       f) client saves label/key into local password storage

          (a) can be skipped if client does not have a key configured

    2) Client with key stored in server
       a) client sends "test-associate" with label+encrypted payload to server
       b) server verifies payload and responds with success to client
       c) client sends any of "get-logins-count", "get-logins", "set-login"
          using the previously negotiated key in (1)
       d) if any subsequent request fails, it is necessary to "test-associate"
          again
Something went wrong with that request. Please try again.