24 August 2024
KeePass and KeePassXC TOTP (and why I picked Aegis as my TOTP App)
One of the neat things about both KeePass variants is that they can manage OTP keys, to try it out I wanted to import some existing keys. Most of the commercial vaults don’t allow you to export or see your OTP secrets. Neither version natively supports QR scanning, so you have to cut and paste the strings. This prompted me to look at some alternatives and the one I like is Aegis.
Aegis is FOSS software and it allows import and export of keys from other applications. Unfortunately, while it can read many other Vault program’s data, you have to root your phone first to try. Google Authenticator, does have the ability to export your data as QR codes, which Aegis can read. If you’ve used Authenticator Apps before Aegis is straightforward. It supports several methods of backup, including the android backup system that lets you restore apps when you get a new device, encrypting your backups with your password.
Aegis is a great tool for migrating. It can read Google Authenticator’s QR code exports. When you’re forced to re-register your accounts from other proprietary apps it will read the QR codes. It can generate QR codes to import to other authenticator apps, you can view (and copy) your secrets by editing the entry, and it will allow you to make an unencrypted export of your database, that you can access by mounting your phone on your PC. Don’t forget to delete the file when done.
There are several KeePass compatible android clients, I only looked at the most popular one Keepass2Android, which can store the TOTP field and read a QR code into it, but did not generate codes for me.
Adding TOTP to an Entry in KeePass2
Edit the entry you want to add TOTP to.
TOTP in KeePassXC
From the list of entries it is easy to access the TOTP functions.
When I create a TOTP entry and need a place to save the recovery codes, the most convenient place is (not the best place, but better than in a manila folder on my desk) is the notes field of my password manager. By default both KeePass programs will show the notes.
In KeePass2, From the View Menu, Configure Columns and then uncheck the notes field so it is no longer in the entry display.
In KeePassXC click the Settings Icon, then the security settings (Shield), and check ‘Hide entry notes by default’.
Getting your TOTP codes and your passwords reunited is a win for convenience, but if your vault is stolen and cracked, game over. If you’re using your vault correctly, you have a different random password for each site, which already contains the damage from a password breach at one site, to that site.
There are several Plugins for KeePass2 for TOTP, they try to enhance the existing features and don’t add significant features.
If your passwords aren’t on your phone, or at least only a subset, then using a separate app that lives on your phone is providing an additional layer of security because both your computer and your phone will need to be compromised to get your TOTP protected logins (provided you keep your recovery codes somewhere else). If you do decide that you want to unite TOTP in one application, both KeePass implementations support having multiple files open at the same time, splitting the login and the totp to different databases requires a hacker to steal and crack both files.
At least for now, I’m still syncing only a subset of my passwords on my phone (using non-foss Bitwarden, but they manage sync between devices), and switching to Aegis for TOTP.