I use KeePass to manage my passwords, but I need to access these passwords from my PC at home, and my PC at work. To keep these databases synchronized, I put a copy on Amazon’s cloud storage service S3. Until recently, I synchronized manually: whenever I add a new password entry on 1 PC, I upload it to S3 (using Cyberduck), and when I’m on the other PC I download it from S3 (unless I forget).
This week, I discovered there are plugins for KeePass that enable you to open/save/synchronize your passwords with cloud storage systems like Dropbox, Google Drive, or Amazon S3. For my system, I use the KeeCloud plugin. Because I don’t want to give the KeeCloud plugin full access to my Amazon S3 account, I figured out how to create an AWS user with the minimal permissions necessary for accessing only my password database. Here’s a description of the full process. This example uses the bucket name passwords and the password database name passwords.kdbx.
Configure Amazon S3
Skip this step if you already have a bucket where you want to store your password database.
- Log in to the AWS Management Console
- Navigate to S3
- Create a bucket for your password database (e.g. passwords)
Create AWS user
To have maximum security, it’s important to create a dedicated AWS user that has limited access to only your password database (and nothing else on AWS).
- Navigate to Identity and Access Management
- Navigate to the Users-screen
- Create a new user, give it a name
- Copy the Security Credentials of the user (Access Key ID and Secret Access Key): you will need these later to sign in
- Navigate to the created user, to the Permissions-tab
- Open the Inline Policies-view, and press Create User Policy
- Select Custom Policy, and press Select
- Give the policy a name, and enter the following Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::passwords/passwords.kdbx",
"arn:aws:s3:::passwords/passwords.kdbx.tmp"
]
}
]
}
Install and configure KeeCloud
- Download the latest version of KeeCloud from the Downloads-page (download the PLGX-file)
- Put the PLGX-file in the KeePass installation directory:
- 32-bit Windows: C:\Program Files\KeePass Password Safe 2
- 64-bit Windows: C:\Program Files (x86)\KeePass Password Safe 2
- Start (or restart) KeePass
- Open the database you want to synchronize
- Navigate to the menu File > Synchronize > Synchronize with URL…
- Enter the following information:
URL | s3://passwords/passwords.kdbx |
User name | The Access Key ID of your AWS user |
Password | The Secret Access Key of your AWS user |
Instead of synchronizing a local file with S3, you can also just open the database directly from S3, using the menu File > Open > Open URL…