#1906 Feature: keepass central management concept

KeePass
open
nobody
None
5
2014-08-26
2014-07-28
No

Hello eveybody,

When you work in a company or in a team someday it happens that you need a secure and flexible solution for password sharing. Until the team is big it is usually sufficient to have one or more keepass databases. However while team is growing it becomes clear that something more flexible is needed.

There are quite a few known solutions for central password management nowadays however these all have one "issue by design" - they use centralized database encrypted by the single master key, so:
- if the server is hacked then all of passowrds are in hacker hands
- if the server is unreachable then nobody have access to any of passwords

I would like to share a concept aimed to fill this gap and hopefuly this or something similar will be implemented in KeePass someday.

The main idea is not to have a central database with a single "master key" but having user databases encrypted by their own keys that contain only passwords that they need to access. And the central storage is only used for sharing passwords. Passwords are encrypted by the "issuer key" i.e. by the key of the person who changed added or changed a password recently.

Please have a look at the attached image.

Best regards,
Stanislav

1 Attachments

Discussion

  • Paul
    Paul
    2014-07-28

    I think Pleasant Password Server already does that.

    cheers, Paul

     
    • Hi Paul,

      I have checked the description and found that it uses just the same approach as many others:

      Safe and Secure
      All passwords and secrets are stored centrally: nothing is stored on a user’s computer.
      ...

      Cheers,
      Stanislav

       
  • Paul
    Paul
    2014-07-30

    KeePass is not a multi user database, but it can open multiple databases at the same time. a user could have a personal database locally and also a common database on a network open at the same time. See these pages: Automatically open multiple databases with KeeAutoExec, Manage auto opening databases with triggers

    cheers, Paul

     
    • Please read through the concept again. The idea is to avoid central database completely and sharing passwords at the same time.

      Not all of passwords should be shared to eveybody. This should depend on group where a user included in.

       
  • Paul
    Paul
    2014-07-30

    This is not something KeePass can or will do.

    cheers, Paul

     
    • Paul,

      It is clear that KeePass can not do it now, that is why this is a feature request. However it is not clear why will not? It does not seem to be difficult to implement and could improve usability for big teams dramatically in my opinion.

      Cheers,
      Stanislav

       
  • Paul
    Paul
    2014-07-30

    What you propose requires some form of centralized management - to determine group access and control - and that is a not a feature, it's a whole new project. Either multiple databases or a centralized server can provide all the features you suggest without any additional effort from the KeePass developer. On the other hand, if you are prepared to throw pots of money at the KeePass developer, maybe he will write it for you. ;-)

    cheers, Paul

     
    • I have requested custom development to the main developer however he rejected because of lack of time and suggested posting a feature request. That's why I'm here.

       
  • Paul
    Paul
    2014-07-30

    I still see this as a new product, not a feature addition, mainly because your model encrypts individual entries and the KeePass model is to only encrypt the database.

    cheers, Paul

     
    • Individual entries should be encrypted only for sharing/transporting and then they are imported to the single database.

       
  • Paul
    Paul
    2014-07-30

    That's still a new encryption and storage arrangement beyond the KeePass database model. I'm sure you could implement this as a plug-in, which is why KeePass has been made extensible.

    cheers, Paul

     
    • Right, I suppose it is possible to be done by a new plugin however I'm not a programmer and need somebody to do this job.

      Cheers,
      Stanislav

       
  • Paul
    Paul
    2014-07-30

    Therein lies the problem. Plug-ins are created by programmers who feel the need for additional capabilities. Mere mortals have to make do with the existing. Maybe you have a C# programmer in the company looking for a challenge?

    cheers, Paul