I’m finally getting around to properly backing my KeePass DB, and I’ve been trying to determine how best to store everything.
My current plan is:
Regularly upload my normal DB (DB1 from now on) to one or more cloud providers (possibly encrypted through Cryptomator or Rclone for some obfuscation).
Regularly upload my encrypted TOTP seed backups in the same way (potentially different cloud providers?).
Create a separate KeePass DB (DB2 from now on) with just the passwords and potentially TOTP seeds (depends on whether the cloud uses app passwords) necessary to access the cloud storage providers and Rclone/Cryptomator vaults. I’d probably also store the keyfile for DB1 in DB2.
Burn a couple CDs or something with DB2 and store them in my home and at a relative’s home.
Does this sound viable? I’m trying to avoid storing DB1 on the “oh shit everything is on fire and I lost every single one of my devices” local backups since storing a copy at a relative’s place is gonna be a hassle. I’m also debating using a hardware key for DB2, but I’m kind of worried I might lose it or something, and if I just store a backup key at my relative’s place it’s pretty much pointless.
All of this is a lot more complicated than it needs to be. Not to mention, tiring to keep up with. First, in 2025, local back ups are really not needed unless your threat model absolutely warrants it. There are cloud storage options that are highly private and secure where you don’t need to worry about backups but only safeguarding credentials to access it all. I personally recommend you use them.
But if you must have a DIY system in place - you can follow the 3-2-1 backup rule as usual with your data.
If
this is a real possibility or more likely than not for you, then I would choose multiple cloud storage options to safeguard your files. KeePass DB is already encrypted so you don’t need to encrypt it again but if you still want overkill, using Cryptomator with any cloud storage should do the job.
With anything options, there’s always pros and cons. You can’t have a 100% perfect solution for your needs all the time. So, I just hope you’re not searching for perfection with your solution.
–
Seems like you know what to do and the consequences and difficulties with each option. Like I said, unnecessary complicated.
Using a password manager and storing your TOTP codes within it or in Ente Auth is a perfectly viable solution that provides the same (if not better) privacy and security that you may be going for.
There comes a point where the accounts you’re trying to secure may have less security than the security you’re trying to maintain for said accounts credentials. Analogous to there’s a limit to how fast of an internet connection really makes a difference because at a point, your WiFi chip and DNS resolver will be the limiter. There’s no end to security.
All of this is a lot more complicated than it needs to be. Not to mention, tiring to keep up with. First, in 2025, local back ups are really not needed unless your threat model absolutely warrants it. There are cloud storage options that are highly private and secure where you don’t need to worry about backups but only safeguarding credentials to access it all. I personally recommend you use them.
Uh, the entire purpose of splitting the databases was so that I’d only have to do it once and then just periodically verify the discs aren’t bit rotted.
Also, if you have no local backups, and there’s a fire (or earthquake, or tsunami, or tornado, etc.) that takes out your devices, if you used a password manager for your accounts, you are potentially completely screwed.
If this is a real possibility or more likely than not for you, then I would choose multiple cloud storage options to safeguard your files. KeePass DB is already encrypted so you don’t need to encrypt it again but if you still want overkill, using Cryptomator with any cloud storage should do the job.
How would I log in to the cloud services if I lost all my devices? KeePass is a local password manager, so losing all my devices basically means I have lost my password manager. Obviously this is a worst-case scenario, but all my devices other than my phone are effectively in one place. Even without the natural disaster example, if someone breaks into my home and steals all the obviously expensive devices, without a backup, I’d be locked out of everything.
Using a password manager and storing your TOTP codes within it or in Ente Auth is a perfectly viable solution that provides the same (if not better) privacy and security that you may be going for.
Again, how would I log in to Ente Auth if everything is ash or molten slag? I actually currently use Ente Auth (although I’m considering swapping entirely to Aegis). It doesn’t really solve the fundamental issue here, since Ente Auth is configured with 2FA as well through Aegis (given that I use their photo service and it’s the same account).
I don’t understand how. It’s a password manager so your data is stored in the cloud, private, secure, and encrypted. What do you mean here?
You would need to remember the credentials to get into your password manager, as you would for your KeePass database. That’s the whole point of password managers, you only have to remember one password to get to all others.
Yes. That’s how that works. Hence my recommendation to use cloud based like Proton Pass.
What are you talking about?
Let’s say you lose everything but you have your credentials stored in your cloud based password manager and Ente Auth. Would you then not know how to get them back?
Obviously, the answer is to get another/new device for yourself so you may log into your password manager and Ente Auth account to get into all other accounts. I don’t know if you’re having difficulty following why this is probably ideal in your case with such concerns.
You don’t need to enable 2FA on your 2FA app. Just a very strong and secure password you can remember. You’ll have to memorize it. Some effort here will always be needed. In this case, all you need to remember is two credentials. One to get into your 2FA account, and the other to get into your password manager.
–
Sorry, I am not following where you’re having the difficulty to understand the OPSEC here.
If they have the password for the the cloud provider stored in the password manager, then they would - in order to retrieve their passwords - need to remember a) their master passwords and b) the password to their cloud provider (and perhaps c) the totp seed for said provider).
It is certaibly possible, but that setup requires either to remember 2 passwords instead of one and using a hardware key for totp or refrain from totp for their cloud (which I would advise against).
Most people are well advised to just follow 3-2-1.
Regarding OPs setup: It does sound sensible, however I’m not sure why you would not want to just backup your complete DB then and only your “master DB”?
Furthermore is hard disk probably a good solution for storage, but depending on your threat model, you might want to reconsider wether you believe to have access to a dvd-drive then and how quickly you have access. With a usb stick or sd card there is usually faster and “easier” access, as most machines have atleast a usb a/c port and sd adapters are ubiquitous. It comes down to data integrity vs. ease of access.
(comment not necessarily directed at you but relates to what you’re saying so I’m replying to you)
I think people are forgetting that there will always be an effort needed to remember a couple of credentials at the very least to get into your password manager - no matter which one you use and how you store your data.
Why does this not feel obvious? It’s literally a prerequisite for wanting to properly have your OPSEC for your credential management.
Regarding OPs setup: It does sound sensible, however I’m not sure why you would not want to just backup your complete DB then and only your “master DB”?
I’d basically back up my actual DB with all my passwords to the cloud (in addition to all the various devices it’s currently on), but just the one with the passwords to access the cloud for the local disc backup. This is solely because I don’t want to constantly update the backup at my relative’s home. I’d probably have a local backup on my HDD of my complete DB too, but that’s connected to my desktop, so it wouldn’t really help in the care of a natural disaster or theft. I could just dump my complete DB at the current moment to the disc backup, but it’d rapidly become outdated (I have many accounts, and I create new ones or update passwords fairly often).
Furthermore is hard disk probably a good solution for storage, but depending on your threat model, you might want to reconsider wether you believe to have access to a dvd-drive then and how quickly you have access. With a usb stick or sd card there is usually faster and “easier” access, as most machines have atleast a usb a/c port and sd adapters are ubiquitous. It comes down to data integrity vs. ease of access.
My main concern with USB sticks/SD cards is data integrity over the long-term. Of course, maybe I could just replace them frequently to solve that issue. The other concern I guess is how easy it is to misplace them, but that may be resolved if I shove them in a box clearly labeled “backups” or something like that. I think, at least in the case of the backup at my relative’s home, something other than a HDD makes more sense given that I would be backing up an extremely small amount of data.
I don’t understand how. It’s a password manager so your data is stored in the cloud, private, secure, and encrypted. What do you mean here?
KeePass is entirely local. You cannot just log in online. Thus, I’d need to first log in to the cloud provider, which would require my password stored in KeePass. Unless you’re suggesting to make an account with a provider that I solely use for KeePass and then just use another password I need to remember + potentially no 2FA?
Yes. That’s how that works. Hence my recommendation to use cloud based like Proton Pass.
Okay, well, I’m not planning to swap to Proton Pass. I’ve used a number of cloud-based password providers. This argument is basically just to give up because backing up requires thought…
What are you talking about?
Let’s say you lose everything but you have your credentials stored in your cloud based password manager and Ente Auth. Would you then not know how to get them back?
Obviously, the answer is to get another/new device for yourself so you may log into your password manager and Ente Auth account to get into all other accounts. I don’t know if you’re having difficulty following why this is probably ideal in your case with such concerns.
I guess your entire suggestion is just don’t use KeePass. TBQH, that’s really not helpful at all.
You don’t need to enable 2FA on your 2FA app. Just a very strong and secure password you can remember. You’ll have to memorize it. Some effort here will always be needed. In this case, all you need to remember is two credentials. One to get into your 2FA account, and the other to get into your password manager.
Unless I am mistaken, the Ente Auth security setup is the same as Ente Photos. I use both, so the suggestion here is to abandon 2FA on my photos. At the very least, I recall it requiring that I enter my 2FA code or passkey at one point, although maybe that’s not an issue anymore. It’s also yet another password to remember, which would also be weaker than it could otherwise be for protecting my photos.
Ahh, i overread that you store at relative. yeah i should probably do that too. though saving a full db image might not be a bad idea, even if you frequently change password. this is because you might not change every password and sometimes password restore is possible with old password. it would probably be enought to update this db then once a year
writing this enabled another solution: if it is possible for you to setup, you could setup a wireguard tunnel to your relatives house and have them setup a network share. this way you could conveniently keep your full pwdb up to date. depends on their tech abilities though. I got the idea from reading an advice on NAS backup, to get a buddy and each setup a NAS at each others place and backup to it via vpn for redundancy (3-2-1).
Ahh, i overread that you store at relative. yeah i should probably do that too. though saving a full db image might not be a bad idea, even if you frequently change password. this is because you might not change every password and sometimes password restore is possible with old password. it would probably be enought to update this db then once a year
Hm, yeah, might be worth it. I’ll have to think about it for a bit. Might be helpful if I forgot to update the cloud storage password on the backup after changing it or something for instance since I won’t lose everything that way.
writing this enabled another solution: if it is possible for you to setup, you could setup a wireguard tunnel to your relatives house and have them setup a network share. this way you could conveniently keep your full pwdb up to date. depends on their tech abilities though. I got the idea from reading an advice on NAS backup, to get a buddy and each setup a NAS at each others place and backup to it via vpn for redundancy (3-2-1).
I’d like something like this, but realistically it won’t work for me. My relatives are not very technically competent, and I doubt they’d want me to set something up like this in their home. Most of my friends are also of questionable technical competence too tbh haha…
It’s a password manager so your data is stored in the cloud, private, secure, and encrypted. What do you mean here?