Various Desktop Integrations of KeePassXC #

Secret Service Integration #

KeePassXC can be used as the system keyring provider. This way, for any apps using the system keyring for password storage, their passwords will be saved in the KeePassXC database.

To do so, open application settings and enable KeePassXC Freedesktop.org Secret Service integration, or configure the following in ~/.config/keepassxc/keepassxc.ini:

[FdoSecrets]
Enabled=true
ShowNotification=true
ConfirmAccessItem=true
ConfirmDeleteItem=true
UnlockBeforeSearch=true

In database settings, choose a group under which entries will be exposed (a new empty group is preferred). Then, apps will be able to store/retrieve passwords into/from that group.

GPG passphrase autofilling #

A quick overview of how this works: gpg retrieves private key from the gpg-agent daemon, which invokes pinentry for password input when unlocking a key. Depending on the environment, pinentry chooses one of various interfaces available: pinentry-gnome3, pinentry-gtk, pinentry-qt, pinentry-tty, etc.

When invoked, pinentry automatically retrieves passphrase from the system keyring (in this case KeePassXC) if there is a corresponding entry. However, in order to create one in the database that pinentry can recognize, a graphical interface (e.g. pinentry-gnome3) has to used at least once, with "Save in password manager" checked. Since this is the default behavior, nothing has to be configured so far.

After an entry is created, the default interface can be switched to pinentry-tty for minimalization (so that passphrase is not passed through GUI toolkits anymore). Passphrase should no longer be cached by the agent either. To achive these, edit ~/.gnupg/gpg-agent.conf as follows:

default-cache-ttl 0
max-cache-ttl 0
pinentry-program /usr/bin/pinentry-tty

SSH passphrase autofilling #

This requires installing the gcr-4 package on the system. gcr-4 provides a gcr-ssh-agent service which wraps and substitutes ssh-agent. The service automatically sets $SSH_AUTH_SOCK to its own socket, which tells ssh where to retrieve a key. When asked for a key yet to be unlocked, the agent displays a GUI dialog for passphrase input.

When unlocking using the dialog, check "Automatically unlock this key whenever I'm logged in" to create an entry in the system keyring (KeePassXC database). Then, SSH passphrase will be retrieved automatically from now on when needed.

One problem is that, when a key has been added to the agent, it stays there for as long as the daemon lives, so you'll have no chance to confirm in KeePassXC usage of the passphrase. It's not possible to configure the TTL using a config file. While TTL can be passed as a command line parameter when starting ssh-agent, there seems no way of doing so in gcr-ssh-agent, which is required for system keyring integration.

An alternative is to use SSH agent integration in KeePassXC.

SSH agent integration #

KeePassXC can integrate with the currently active SSH agent by automatically adding key to or removing key from it. In this case, keys are stored in the KeePassXC database instead of ~/.ssh.

Service configuration #

Since the regular ssh-agent service shipped by OpenSSH is already enough, gcr-4 is not needed. To make use of ssh-agent, manually enable the service and set $SSH_AUTH_SOCK:

systemctl --user enable ssh-agent
echo "export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent.socket" >> ~/.bash_profile # or wherever you store your envs

However, if gcr-4 is already installed on the system (perhaps required by other packages), gcr-ssh-agent should be active already. In this case, the above configuration is not needed. To use ssh-agent anyway, disable gcr-ssh-agent:

systemctl --user disable gcr-ssh-agent.socket
systemctl --user disable gcr-ssh-agent.service

KeePassXC configuration #

In application settings, enable SSH Agent integration.

In the database, wherever fit, create an entry and add your SSH private key to Attachments. Then, in the SSH Agent section, choose the Attachment as the private key, and adjust agent integration regarding this key as needed.

For the feature "Require user confirmation when this key is used" to work, a /usr/lib/ssh/ssh-askpass binary needs to be present on the system. An implementation can be installed through the package manager, or simply by creating the following script for example:

#!/bin/bash
readarray -t LINES <<< "$1"
exit $([ "$(notify-send -A "default=Yes" "${LINES[0]}" "${LINES[1]}")" = "default" ])

This page is released into the public domain under CC0 1.0.