How to set up a portable, non-cloud-based password manager

Setting up a non-cloud based password manager in which the password database can be accessed from more than one device is easier than it sounds.

Nothing helps strong passwords become a central tenet of your electronic life than conscientious use of a password manager. However, the compromise of at least one cloud-based password manager last year and recent actions by a government agency may have given you second thoughts about using the cloud for something that instinctively feels like it should be managed locally.

Those incidents aside, password managers remain the best way to avoid reusing weak passwords which is as commonplace as the number of password leaks that happen every year, even on large, reputable websites. And, if you don’t mind putting in a modicum of effort, you can still establish a non-cloud-based password manager that can be utilized across multiple devices.

Here, we take a closer look at how you can securely set up KeePass – a highly rated open-source password manager – in a way that keeps your passwords within easy reach. (There are two versions of KeePass that are maintained concurrently; we will be focusing our attention on KeePass 2.)

1. Setting up KeePass

At its core, KeePass is straightforward to understand. A master key generated from the user password is hashed using SHA-256, which is subsequently used to encrypt the password database with AES-256.

To unpack that a bit for the layperson, SHA (Secure Hash Algorithm) is a type of cryptographic hash, or “signature” for a computer file (text or data). It’s a one-way state: It can’t be decrypted. SHA-256 is an almost unique 256-bit hash. AES (Advanced Encryption Standard) is a cipher (secret code, in other words) used widely across the internet, and is, in theory, uncrackable, given the number of keys used. And AES-256 is mathematical equivalent of 2256 key possibilities.

The use of strong encryption does not detract from the need for a sufficiently complex password, since an attacker with a pilfered copy the KeePass database can attempt to crack it using dictionary and password guessing tools. Of course, having to remember just one extra-strong password to protect all other passwords is what makes the use of a password manager appealing in the first place.

KeePass is available on Windows and because it is written in .NET, can be made to run on Linux, OS X, Linux and BSD with Mono. A cross-platform port called KeePassX is also available for those who prefer not to use Mono, though it lacks in certain features such as support for plugins and auto-typing of passwords on non-Linux systems.

[Related: Review: Best password managers for the enterprise]

Overall, the KeePass project is mature and well-supported, and the download page on the official website lists contributed ports for mobile platforms ranging from Windows Phone, Android, iOS, BlackBerry and even Palm OS. Your mileage may vary with some of the ports, though the top mobile platforms such as Android and iOS appear to be well-supported with apps that are maintained.

2. Strengthening your KeePass database

So what length of password is good enough to properly secure a KeePass database? There is no clear consensus on this, mainly due to highly divergent factors such as complexity of password and speed of computers tasked to perform any brute force attempt. Still, a password length of more than 12 characters may be a good start with a non-dictionary-based password, though some recommend at least 20 characters.

KeePass - encryption

KeePass comes with the built-in capability to calculate the number of key transformation rounds that your current PC can do in a second.

Strong master password aside, KeePass offers two other main ways to ratchet up the security of the password database. The simplest relies on having KeePass run the encryption key through additional iterative rounds of encryption. The default value is set at 6,000 rounds, though this could be configured to a much higher value to make it orders of multitude harder to pull off a successful brute force attack.

Indeed, a modern desktop or laptop could easily be set to between 10 million to 20 million rounds for those who can live with a very slight delay when opening (and saving) the password database. KeePass itself comes with a nifty feature that shows how many key transformation rounds can be set for those prepared to live with a 1-second delay. Of course, it may be a good idea to ease off slightly if you intend to access the database from a smartphone.


Strengthen your composite master key with a key file or second factor authentication on top of a strong master password.

The second approach involves specifying a key file or input from a key provider plugin on top of the master password. As described earlier, the composite master key is used to encrypt the password database, and the added complexity makes the password database that much more secure against brute force attacks. (We won’t be looking at the option involving “Windows user account,” since it’s Windows-only and isn’t portable across devices)

While the master password is “something you know,” the use of a key file allows for the implementation of a “something you have” approach. Specifically, the key file could be saved on a USB flash drive which is physically required to unlock a KeePass database.

An alternative to using a flash drive would be the YubiKey, a dedicated hardware the size of a small USB dongle designed to offer two-factor authentication. With the use of the Challenge-Response key provider plugin for KeePass, it is possible to set up a YubiKey such it will have to be plugged into a USB port for the password database to be decrypted.

This can be done by setting up the YubiKey with the YubiKey Personalization Tool, and loading it with the same secret key that is fed to the Challenge-Response key provider plugin when setting up KeePass on the desktop. Subsequent attempts to load the KeePass database will culminate in a prompt for the YubiKey.


You’ll need the YubiKey Personalization Tool to configure your YubiKey.

3. Synchronizing between devices

The simplest way to use KeePass everywhere would be to save KeePass and the password database on a USB flash drive and bring it along everywhere. This mode is supported by KeePass, which is designed to be run directly off a portable storage drive with no installation needed. The downside though, is the risk of losing the only copy – or latest copy for those who do regular backups – of the password database, as well as an inability to access it from a smartphone or tablet.

[Related: How to evaluate password managers]

An alternate method supported by KeePass would be to manually sync the database to a network location or FTP site. There are also a number of third-party plugins that add support to cloud resources such as Google Drive, OneDrive and Dropbox, as well as private cloud locations such as Amazon S3, SCP and FTPS.

While all of the above is technically the cloud, the advantage to using KeePass with them is how a hacker who manages to gain unauthorized access to the cloud account will still have to crack the encrypted database file. Assuming the tips in the previous section are adhered to, this could well be a non-trivial task indeed.

For those who desire to stay completely off the public cloud, one option would be to sync the KeePass database between devices using BitTorrent Sync. Free for personal use, BitTorrent Sync is also available on all major desktop and smartphone platforms.

4. Using KeePass on your smartphone

Getting KeePass to work on your mobile device of choice is a matter of synchronizing the password database file and opening it from a supported KeePass client. As noted earlier, a number of options are available to synchronize the password database across multiple devices. It is worth noting that not all cloud storage service supports making a download for offline access – so you may have to resort to third-party apps for this.

For those using the KeePass in Challenge-Response mode with a YubiKey, it is critical to ensure that the corresponding XML file is kept in sync, too. The YubiKey configuration outlined in the previous section will work with both the KeePass2Droid or Keepass2Android apps with the free YubiChallenge app installed. When challenged, simply tap the NFC-capable YubiKey Neo on the NFC reader on your smartphone to be authenticated.

Note that Challenge-Response mode on a smartphone will only work with the YubiKey Neo, and only on NFC-capable Android devices. At the moment, the iPhone’s restricted support for NFC means that the YubiKey Neo will not work with iOS devices, though it is understood that a Bluetooth version is currently under development.

Join the CSO newsletter!

Error: Please check your email address.

Tags password managerspasswordCloud

More about AdvancedAdvanced Encryption StandardBlackBerryDropboxGoogleindeedLinuxNFCPalm

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Mah

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place