The Three Phases of Password Hosting

For the longest time, I hesitated to use a password manager. Trusting a cloud service for such an important matter did not sit well with me. For years, I kept all my passwords in a notebook. This was the pen and paper phase. It worked, but over time, the content grew too large. Changing passwords got messy. And if I lost my notebook (which, fortunately, did not happen), I would be in trouble. Maintaining a backup ultimately meant taking photos and trusting internet-touching devices and internet-based services.

I learnt about password managers and mustered the courage to use them. I did not yet know about self-hosting; I naturally turned to online solutions. This was the cloud phase. I used Bitwarden. I wish I had done so sooner. Generating passwords became so much easier. The app helped me keep my passwords synced across different devices. Changes were easy to make. I just had my master password and some recovery codes to keep secure.

Now I am in the self-hosting phase. This leap does not feel as drastic as the leap between the previous two phases, and again, I wish I had migrated sooner. I am using a combination of KeePassXC and Syncthing. Below is my recommended approach.

  1. As prerequisite, you must be comfortable using Syncthing. Follow the documentation to establish a synced folder (‘Sync’) across multiple devices.
  2. Install KeePassXC.
  3. Open it and create a new database vault.kdbx in the Sync folder using the following parameters.
• Database format : KDBX 4;
• Encryption algorithm : ChaCha20 256 bit;
• KDF : Argon2id (KDBX 4);
• Transform rounds: 30 ; Benchmark 1 s delay;
• Memory usage : 128 MiB;
• Parallelism : 4 threads.
  1. When asked for a password, generate a 4 word long passphrase from the EFF Long Wordlist. (This length is adequate if you use a properly generated key file (see below). Otherwise, use 6 words.) Write it down on paper and memorize it. This is your master password for the vault.
  2. Click “Add additional protection” and generate a key file vault.key. Save it in a location Syncthing cannot access.
  3. Now vault.kdbx should be available on all your devices. Transfer vault.key using a flash drive or memory card to the other devices. Again, make sure Syncthing does not touch the key file.
  4. Install KeePassXC on other desktops. Install Strongbox or KeePassDX for iOS/Android. Open vault.kdbx from the appropriate app and provide the master password along with the path to the vault.key file in the device you are using.

Security Notes

  1. The use of a (properly generated) key file allows us to get away with using a shorter passphrase for the master password. Entropy generated by a 128 byte key file (generated by KeePassXC) is 1000+ bits. This dominates the 50+ bits of entropy of the 4 word passphrase.
  2. The key file used in the manner described above also protects against a scenario in which the Syncthing setup is compromised.
  3. If you lose the key file or forget the master password, you lose access to the vault permanently. Maintain proper backups.
  4. It is all right to change the filename of the key file. Just make sure that the contents are never accidentally modified.
  5. No email is needed. No TOPT authentication is needed. The setup is simpler than the cloud-based setup.
  6. All your passwords are located in your devices in an encrypted way. There is no cloud service provider you need to trust anymore with your security.