Synchronize KeePass via Amazon S3

I use KeePass to manage my passwords, but I need to access these passwords from my PC at home, and my PC at work. To keep these databases synchronized, I put a copy on Amazon’s cloud storage service S3. Until recently, I synchronized manually: whenever I add a new password entry on 1 PC, I upload it to S3 (using Cyberduck), and when I’m on the other PC I download it from S3 (unless I forget).

This week, I discovered there are plugins for KeePass that enable you to open/save/synchronize your passwords with cloud storage systems like Dropbox, Google Drive, or Amazon S3. For my system, I use the KeeCloud plugin. Because I don’t want to give the KeeCloud plugin full access to my Amazon S3 account, I figured out how to create an AWS user with the minimal permissions necessary for accessing only my password database. Here’s a description of the full process. This example uses the bucket name passwords and the password database name passwords.kdbx.

Configure Amazon S3

Skip this step if you already have a bucket where you want to store your password database.

  1. Log in to the AWS Management Console
  2. Navigate to S3
  3. Create a bucket for your password database (e.g. passwords)

Create AWS user

To have maximum security, it’s important to create a dedicated AWS user that has limited access to only your password database (and nothing else on AWS).

  1. Navigate to Identity and Access Management
  2. Navigate to the Users-screen
  3. Create a new user, give it a name
  4. Copy the Security Credentials of the user (Access Key ID and Secret Access Key): you will need these later to sign in
  5. Navigate to the created user, to the Permissions-tab
  6. Open the Inline Policies-view, and press Create User Policy
  7. Select Custom Policy, and press Select
  8. Give the policy a name, and enter the following Policy Document:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:DeleteObject",
            "s3:GetObject",
            "s3:PutObject"
          ],
          "Resource": [
            "arn:aws:s3:::passwords/passwords.kdbx",
            "arn:aws:s3:::passwords/passwords.kdbx.tmp"
          ]
        }
      ]
    }

Install and configure KeeCloud

  1. Download the latest version of KeeCloud from the Downloads-page (download the PLGX-file)
  2. Put the PLGX-file in the KeePass installation directory:
    • 32-bit Windows: C:\Program Files\KeePass Password Safe 2
    • 64-bit Windows: C:\Program Files (x86)\KeePass Password Safe 2
  3. Start (or restart) KeePass
  4. Open the database you want to synchronize
  5. Navigate to the menu File > Synchronize > Synchronize with URL…
  6. Enter the following information:
    URLs3://passwords/passwords.kdbx
    User nameThe Access Key ID of your AWS user
    PasswordThe Secret Access Key of your AWS user

Instead of synchronizing a local file with S3, you can also just open the database directly from S3, using the menu File > Open > Open URL…