I’m trying to sync a KeePassXC database between my Android phone and my Manjaro Linux system. I want full two-way sync of changes, but I don’t want deletions on one device to remove the file on the other. What’s the best way to configure this? Tools like Syncthing seem close, but I’m not sure which folder settings or ignore rules would prevent deletion sync while still keeping both sides updated. Any guidance or examples would help. Thanks!
It seems like you need backups, so perhaps just add backups?
Also, it could always happen that a bug breaks your file during sync.
Many Keepass clients have support for not actually deleting entries, and instead moving them to a “Trash” subgroup inside the kdb that is ignored when searching entries. Also they usually keep track of the history of changes to each entry, to make it non-destructive.
Coupled with Syncthing typically automatically creating backups whenever it encounters conflicting changes, I feel this should be enough, at least for me personally.
There is a way to make this work. It goes like this:
- You do not use any external sync mechanism. Instead you work on one file only. Multiple clients can have it open simultaneously.
- The apps I use succesfully that way are KeepassXC on Linux and Keepass2Android on Android.
- You make the file accessible via SFTP (WebDAV might work too, although I haven’t tried that). I have a public server running where I created an account to only serve this keepass db file.
- On the Linux clients I created an automount via SSHFS. KeepassXC opens the file via this mount.
- Keepass2Android has SFTP built-in and can therefore access the file directly itself. This is important since all solutions that involve presenting the file via Android Storage Provider are not designed for that task and can lead to data loss (ask me how I know.) That’s why KeePassDX is not an option. It deals with local files only. (I haven’t checked any of the other Android apps.)
- The syncing is handled by the apps themselves. They can detect or be made aware of changes to the file by the user that may happen even whilst they have it open, and they both handle the syncing correctly and reliably.
- Keepass2Android can even deal with network outages since it is smart enough to keep an internal local copy of the file and to take care of the sync later.
- Since KeepassXC doesn’t have this caching it needs the network to be up. You should create a cron job (or systemd timer) that makes a local copy every now and then, so you have a fallback.
This is the cost of offline password managers. You can’t do this at a file level, there is no way for a sync protocol to merge changes from two files. I say this having suffered the loss of a couple passwords from this exact scenario.
You either need to exercise diligence in only adding passwords at one place, or run a “real” db-based password manager.
You can’t do this at a file level, there is no way for a sync protocol to merge changes from two files.
I’m sure some mad lad could hack together bash, git, and cron into an unholy mess that would do it
I guess I’ll correct my statement:
It can only be done by decrypting your passwords and comparing them across several locations, thereby mostly canceling any security you were counting on from your password manager.
What you’re describing is not a two-way sync then. You’re expecting this to be an actual database, but it’s just a flat file with XML at its core. Here’s the file format specification .
Best you can do is set frontend options to prevent accidental deletions, and keep lots of backups, or put it on a versioning storage backend.
You may want to switch to a different solution if this is your desired use-case.
Might be time to self host vaultwarden if you need real DB features like that.
I don’t think that’s really possible. Why do you want to do this? What problem are you trying to solve?
Having the same file in both systems without the file being deleted on both if I delete it in one.
That’s what backups solve, for important data like a PW DB you should be running daily backups with versioning. Then if anything gets deleted or corrupted you can restore it easily.
Ok then just use ignoredelete: https://docs.syncthing.net/advanced/folder-ignoredelete.html
Why not use file versioning on either device folder in syncthing to ensure you retain copies of deleted files? The “simple” setting will retain the last 5-10 versions of any file.
I’d also recommend backing up your data outside of the sync service once a day or whatever interval makes sense to you. That way a wayword sync, even with safeguards, cant really destroy the data.
I tried that with my KeePass database and then I ended up with different conflict versions if a device didn’t sync to my server before I updated on another device. Then I ended up with the conflict versions and old versions I had manually resolve. The Android Syncthing app could get auto killed by the Android OS for memory/battery saving, so I had to go back to OneDrive style syncing where the KeePass Android app would internally merge and resolve conflicts. It couldn’t do that using the Syncthing style syncing.
Try Syncthing with IgnoreDelete but note that it’s unrecommended. Maybe use Syncthing as an append-only store
