KeeShare: Secure Password Sharing | NSC #78

keeshare synchronize test

Secure Password Sharing

We talk about storing passwords a lot, but what about sharing passwords? If your child asks you for your Netflix password, how do you get it to them? What about shared work accounts? In this article, we will offer a secure alternative to texting your passwords: KeeShare.

Password Sharing Options

There are a great many options for password sharing, but not many that are great. Whether it be for family or for work, it’s impossible to get around sharing a password at some point. Here are a few options for sharing passwords.

  • Email (if email is not end to end encrypted, password can be taken by provider)
  • Secure messenger (impossible to track)
  • Shared host based password manager (needs to be manually tracked for changes and updated frequently)
  • Cloud based password manager (most offer some sort of password sharing, but you are putting faith in the provider)
  • Self hosted cloud based password manager (good luck finding a decent one that is free)


Today we introduce another another option: KeeShare. KeeShare is a password synchronization tool that can be used to synchronize passwords between multiple instances of KeePassXC. As of KeePassXC version 2.4.0, it is fully integrated out of the box.

KeeShare Settings

To turn on KeeShare, go to tools->settings->keeshare and allow import and export. Generate a certificate to sign your export files by clicking the generate button. If you do not generate a certificate, you can still use KeeShare, there will just be no way to verify that you are importing a legit file. Click okay to save and close the settings. If you are setting this up to sync with another database, be sure to repeat these steps on all databases involved.

Shared Folder Setup

KeeShare works on a per group basis, so you can setup multiple shares on one database and share them with different people. You can access a group’s KeeShare options by editing the group and going to the KeeShare tab. If you want both sides to be able to communicate back and forth choose the synchronize option. If you are looking for a more one way option, choose export for the master database and import for the receiving database.

The path needs to correspond with where the share file is going to be stored. In our case, we shared it with our Virtualbox instance using shared folders. This will work very similarly with cloud storage, a share drive or a Windows shared folder. A self hosted Nextcloud instance would allow perfect synchronization between multiple devices and allow you to maintain absolute control over the security of your data.

The password is your shared secret between you and your other endpoints and encrypts the share file. You need to somehow deliver this password to each KeePassXC instance one time to allow secure synchronization. If you have physical access to the endpoints, it is recommended to just type it in manually. If you don’t have physical access, use a secure means such as Signal or Protonmail with self destructing messages to deliver the password.

Certificate Trusting

After configuring your KeeShare setup, close or lock your database and reopen it. You should get a certificate warning asking you to trust the certificate from the other machine. Also displayed is the SHA256 fingerprint that we generated earlier. Go ahead and verify those by sending them through a different secure means than you used for your password. After verified, click always to prevent this warning from showing up everytime.


After all that is done, you should be able to enjoy syncing between your endpoints. The one weird thing we noticed while testing is there isn’t really a way to refresh the synced folder other than closing or locking your database. If you make a change on one side and it doesn’t update, don’t freak out. Just lock your database, unlock it and all of the updated entries should be there.

Thanks to KeePassXC’s built in entry history, if someone updates something on their side and it overwrites something important, you can open up the entry history and restore back to what you had before. This is considering someone doesn’t erase the history. Do not rely on this as a means of backups if you are using the synchronization option. Always make an offline backup!

Mobile Syncing

The lack of a mobile KeePassXC app makes it impossible to sync to your phone as simple as shown above, but there still is a way. When choosing where to save your share file, you can choose to save as an unsigned container. This basically takes out the certificate we generated at the beginning and creates a regular KeePassXC database. When importing into a KeePassXC instance, you will get a warning saying you cannot verify the file, but this should allow you to open it up on your phone just like normal. All that’s left to do is to host the file on your Nextcloud instance and download the app. Everytime you make a change on your computer, it will reflect on your phone and the same should apply the other way.

Final Thoughts on KeeShare

This new feature is amazing. It solves a lot of password sharing problems off the bat. This eliminates reliance on cloud hosted password managers and limits your excuses on why you have bad passwords. Once setup, your entire family can share passwords too complicated to say out loud. While we advise against using iCloud or Google Drive for obvious reasons, if your family does share one, you could save your share file there instead of self hosting. The share file is encrypted with your shared secret, so as long as you didn’t make it simple, you should have nothing to worry about.

Questions, Comments, Concerns?

Don’t know where to start? Leave us a comment below if you’re confused or just want to chat!

Recommended Articles

If you liked this article, here’s a few more you might enjoy:

Reader Deals

Enjoy 5% off any OnlyKey purchase: https://onlykey.io/tpidg

Enjoy 25% off any PIA subscription: https://www.privateinternetaccess.com/pages/tpidg


Leave a Reply

Your email address will not be published. Required fields are marked *