Workflow with keypass2Android database file in vault

Hi !

so I have recently started to store my keypass database file in Onedrive on a cryptomator vault. From within Windows everything is fine, since I can point Keypass to open the kdbx database file from the mounted drive Cryptomator opens when unlocking. However in Android, its very difficult to access the database file.

Apparently the path to the unlocked vault changes every time I lock and unlock the vault on Android so if I open Keypass2Android I will get an error message like this: "An error occured: open failed: ENOENT (no such file or directoy) even when I unlocked the vault before. The file location Keypass2Android reports is simply: content://Alexander.kdbx

So do I really have to unlock the vault from within cryptomator and then open the database file from there (which opens Keypass) each time I want to access the database? This is kinda weird. It gets even more difficult if I let Keypass2Android create local copies of the database since it then defaults to using those if it cant find access to the online version.

Not really sure what happens in the background when I unlock a vault on Android, regarding file location of the unlocked vault. Couldnt find anything in the documentation so is there a best practise how to deal with this situation?

Thanks,
Alex

PS: This is on Huawei, P30 Pro, with Android 10, EMUI 11 in case thats important.

Hi Alex

Welcome to the Community!

Currently this is the way to go but there is a feature planned for the Android app called Document Provider which will let the Cryptomator app provide the file for Keepass2Android instead of downloading and opening it.

I’m not sure though if this will solve your problem with unlocking the vault. Maybe @SailReal can shed some light.

While not directly adressing the issue, i’d like to give some thoughts on the preconditions of the problem:

@Alexander_Fagot Consider to store your keepass file outside of Cryptomator. As long as it is secured with a password as secure as the one of the Cryptomator vault, there is no benefit you gain from encrypting twice.

See also:

https://www.reddit.com/r/crypto/comments/1nhi4m/why_encrypting_twice_is_not_much_better/

1 Like

Hi!

thanks, @sToRmInG and @infeo for your reply. Your suggestion to store the Keypass database in plain sight on a cloud drive would of course be way more easier and I agree that per se double encryption doesnt make much sense however, while not being a security expert, common sense tells me there would still be benefits to storing the database in a vault.

  1. In case Keypass ever has a security vulnerability I wouldnt be solely dependent on that encryption.
  2. If someone gains access to my onedrive, they would see that there is a password manager file there, that could trigger their interest. If the database file is encrypted, they wouldnt.

So yeah, I am not sure if I am being paranoid here but those 2 arguments sound like a good reason to use a vault anyway.

@Alexander_Fagot In general you should have in mind what happens if e.g. your apartment burns down and you have to gain access to your KeePass database on a all new device.
To gain access to your KeePass database you need the password for the cryptomator vault and the cloud provider which themself are stored in your KeePass database. If the printed version of your restore key for the cloud provider or cryptomator is also lost you have a huge problem.

I for example store the KeePass database in Onedrive next to not in the vault. Additional to the password of the KeePass database I use a keyfile which I transferred offline to each device.
Maybe this works for you as well and respects your need for an extra layer of security. Indeed (in my opinion) this is a better way since for authentification I need to HAVE the keyfile and I need to KNOW the password instead of just KNOW two (hopefully) different passwords.

Best regards.

@mag-oreo Thanks for chiming in. Mhh, its not that hard to remember two or three passwords (Windows login, vault and keypass), especially if I use them a lot so I am not worried about gaining access in case my house burns down. :slight_smile: Unless I suffer from brain damage of course but then I have more problems I suppose.

As for the keyfile: Whats the big advantage using that feature if its on each device I use anyway? If a hacker gains access to my device he will have access to the keyfile as well. But maybe I dont understand the purpose of that keyfile. Afaik its useful if you carry it with you as a dongle that you plugin to your device but putting it on your device kinda defeats that purpose, no?