Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Passkeys from Vaultwarden or KeepassXC

bgstack15

Comments

I recently was forced to start using passkeys to retain access to a bank website where I've already been able to log in using conventional means for years. The site completely disabled the use of passwords, except to set up a passkey, along with an emailed 2fa code. I hate passkeys, and hate that technology is being used against users.

If you are forced to use passkeys, here are two current options that do not depend on mobile devices or other locked-down tech.

Vaultwarden

Vaultwarden, which is the self-hostable version of Bitwarden, supports storing passkeys. I had to upgrade my vaultwarden container which was a year or two out of date, to make it work with the official Bitwarden browser extension, which thankfully is Free Software and is licensed GPL-3.0.

The browser extension needs to be installed, and then configured to ask to save and use passkeys.

This was the quickest thing for me to set up, because I already had vaultwarden running. But it depends on a server running the software.

KeePassXC

Note: This one took more clicks to enable fully than the Bitwarden one.

I use Keepass2, the official Keepass implementation, but a lot of the GNU+Linux world has moved to KeePassXC. One of the reasons is becasue KeePassXC supports passkeys.

I installed it with apt-get install keepassxc-full. I recall there was some drama recently (wow, 2 years ago) that the Debian maintainer disabled some functionality in their package. Use the -full one to get support for the browser extension.

And then install the official browser extension. I had to restart the browser once or twice, to get it to recognize that KeepassXC was running.

In the extension settings, you have to enable passkeys. It is not enabled by default.

In KeePassXC, you have to go to menu Tools -> Settings -> tab Browser Integration -> Enable browser integration. Choose your browser. You might need to restart KeepassXC too.

The browser extension should prompt you to connect to KeePassXC's database.

Transferring passkey from Vaultwarden to KeePassXC

One of the main points I wanted for a software-based solution for passkeys is I want to own the data. I'm going to guess that the GDPR from our own backwards EU might have had something to do with this being possible (exporting your own data from a service). So I guess I'm grateful for the GDPR for once.

You can visit Vaultwarden's web interface and export your database.

Then visit KeePassXC and use menu Database -> Import.... Choose type "Bitwarden" and select the file.

Conclusion

KeepassXC took more clicks to set up, but can all be run on a desktop computer without server-type components (docker) running.

VaultWarden feels a little more usable on the client side, but takes extra equipment running.

I'd rather just use passwords. It took way less work to own your credential and to use it.

Additional reading

These might have been linked above, but are included here again for full reading if you get bored.

  1. KeePassXC Debian maintainer has removed all network features | Hacker News
  2. Debian Sid No-Feature KeePassXC Package | Hacker News
  3. Debian No-Feature KeePassXC Package · Issue #10725 · keepassxreboot/keepassxc

Comments