Store SSH Keys in Your KeePass Database

Strongbox can now act as an SSH Agent on macOS.

This means you can store your SSH Keys securely within Strongbox and have them available on all of your devices. There is no need to distribute these sensitive items across various machines in various locations. You can also generate new fresh SSH Keys from within Strongbox.

NB: SSH Agent is a Pro feature available for KeePass 2.x databases on macOS only.

What is an SSH Agent?

An SSH Agent is a process that holds and manages sensitive private keys and signs requests on behalf of other processes which need to connect to servers, for example, Github, an SFTP server or any other server you may need to use.

SSH Agent Operation

When an SSH client like git or ssh runs on your machine it needs to authenticate to the remote server. This is usually done via SSH public key authentication. The private key is stored securely inside an SSH agent and the SSH client process asks the SSH agent to sign an authentication request proving to the remote server that you have access to the private key without exposing the private key itself.

Note that the private key never leaves the SSH Agent and neither the remote server nor the requesting process (e.g. ssh or git) has access to the private key.

The Default SSH Agent

Most modern operating systems like Linux or macOS come with a default or built-in SSH Agent. This agent uses files stored on your device to get the private key. This means you copy the private keys around different devices which can become unwieldy and hard to manage.

Strongbox as a Replacement SSH Agent

Strongbox can replace this default SSH Agent implementation using keys stored inside your Strongbox database. It can sign authentication requests on behalf of SSH client processes like git or ssh.

Strongbox Is More Secure

The default macOS SSH Agent allows any process access to any key that has been added to the agent. Strongbox instead asks you to approve access upfront which puts you in the driver’s seat.

When you approve a request to use a key, Strongbox will sign an authorisation request using the correct key allowing the requesting SSH Client to connect to the remote server. The private key never leaves Strongbox.

Strongbox SSH Agent Advantages

  • Strongbox notifies you when a process is trying to use an SSH Key
  • You can see what process and key is being requested and approve or deny the request
  • There is no need to store SSH keys on the file system of any device
  • Your keys are available on any device with Strongbox installed
  • Your private key never leaves Strongbox
  • It’s easy to find and organise keys within the Sidebar (SSH Keys)
  • It’s easy to generate, view, export and add existing SSH Keys

How To Use Strongbox As Your SSH Agent

We have created a detailed guide on how to set up Strongbox as your SSH agent here.

AutoFill KeePass Passwords on Mac (Chrome, Firefox, Safari)

Introduction

AutoFill saves you time by automatically filling in username and password fields when you log into a website.

Logging into Strava website using autofill browser extension

Opting for the open source KeePass format, over proprietary solutions like 1Password and LastPass, can sometimes feel like a trade-off between data ownership and convenience. 1Password, LastPass, etc have easy-to-use browser extensions, whilst with KeePass there are various options available of differing quality.

Unfortunately, despite an increasing number of KeePass-compatible iOS apps, there aren’t many good KeePass apps on macOS. This means that autofilling your KeePass passwords can be cumbersome on the Mac.

How To Set Up AutoFill for KeePass on Mac

Most KeePass apps will have some kind of AutoFill solution and this is an important factor to consider when deciding which one to use.

Strongbox is a free and open source KeePass-compatible password manager that provides a great user experience across Mac, iPhone and iPad. We’re biased, but, we believe that Strongbox offers the simplest and most secure way to AutoFill your KeePass passwords on your Mac, whether you’re using Chrome, Firefox, Safari or another compatible browser.

For those who don’t want to use Strongbox we also recommend KeePassXC.

We’ve outlined everything below:

NB: AutoFill support for Strongbox on Mac is only available with Strongbox Pro. You can try out Strongbox Pro for free for 3 months with no obligation to buy. We hope you’ll love it.

Strongbox has official browser extensions for both Chrome and Firefox:

Many other Chromium and Firefox-based browsers also work with the above extensions, including Brave and Microsoft Edge.

For a general overview of how Strongbox works and how to get it set up, check out our Getting Started guide.

AutoFill is enabled on a per-database basis. So, before you can go ahead and make use of the browser extension, you’ll need to enable AutoFill in your database settings. To do this:

  1. Unlock your database
  2. Open the Database Settings (Database > Database Settings menu item)
  3. Navigate to the AutoFill tab
  4. Make sure the ‘Enable AutoFill for this Database’ box is checked

When you go to log into a website, you will then see a list of all entries in your database that match that URL.

There are also certain settings available within the AutoFill extension in the browser. You can automatically fill the fields as soon as the webpage loads, either with the closest match or only if there’s a single match for that domain, or you can turn this off and manually select an entry from the dropdown that appears when you click into a username or password field.

Strongbox AutoFill for Safari

Strongbox integrates with Apple’s native Password AutoFill on Mac (and iPhone and iPad). This is what enables Strongbox to AutoFill your credentials in Safari.

To enable AutoFill in Safari/macOS, go to System Preferences > Extensions > Password AutoFill and check the box for the Strongbox app.

Wormhole Fill Explained

In the AutoFill settings for your database, there’s an option to enable “Wormhole” fill:

If you enable it, the system level AutoFill can communicate directly with the Strongbox app. This way, AutoFill can determine if your database is already unlocked and save you from having to authenticate twice. If you disable this, you will have to authenticate each time you use AutoFill, even if your database is currently unlocked in the Strongbox app.

The “Wormhole” itself is a dedicated IPC channel that utilises the Secure Enclave on your Mac to keep your credentials secure.

A Quick Note on Security

As well as convenience, security is a concern whenever you decide to share sensitive data from your KeePass database with another app or service, such as your browser.

If you use a well-architected browser extension/AutoFill integration (such as with Strongbox) it is generally more secure to use AutoFill than it would be to copy and paste your passwords manually via your device’s clipboard. This is also true of Strongbox’s integration with the system-level AutoFill on macOS.

In creating the Strongbox browser extension, we have gone above and beyond to make it very difficult for an attacker to intercept your secrets. All traffic is encrypted end-to-end using asymmetric encryption, it uses local, on-device-only IPC (inter-process communication) with no open ports, and the code is open source so you can inspect it yourself on GitHub. You can read more about how the browser extension works here.

Whichever AutoFill solution you choose, make sure that you trust the developer and that your secrets are safe in transit.

What About TOTP codes?

Time-Based One-Time Passwords (TOTPs or OTPs) are codes that are constantly changing at regular time intervals. They usually take the form of a 6-digit number and are a very common method to enable 2FA.

If you have added a TOTP code to an entry in Strongbox, it’s super easy to then AutoFill that code in your browser. Once the username and password have been filled, Strongbox will automatically copy the TOTP to your device’s clipboard. So you can just paste and go.

The step-by-step instructions are:

  1. Navigate to the website’s login page in your browser
  2. Select the entry you want to use from the drop down menu
  3. Click to log in
  4. When the website prompts you for a TOTP code, simply press paste (CMD + V) and the TOTP code will be filled immediately

AutoFill with KeePassXC as an Alternative to Strongbox

KeePassXC is a free and open source app available on all major platforms, including macOS, Windows and Linux.

In order to use AutoFill with KeePassXC, you need to download their browser extension. At the time of writing, KeePassXC supports Firefox & Chromium based browsers.

Once the extension is installed, open KeePassXC and go to Tools > Settings > Browser Integration. Check the box to Enable Browser integration and then check the browsers that you want to use. After you’ve done this, you’ll need to restart your browser.

Unfortunately, Safari isn’t currently supported. To use KeePassXC with Safari, you’ll need to enable the global Auto-Type feature.

Auto-Type fills the username and password for you by simulating key presses. It’s less convenient than a browser based AutoFill because it requires you to search for the correct entry manually. The advantage however is that it can be used anywhere, including inside of other Mac apps.

To set up Auto-Type, check out this guide.

Conclusion

You don’t need to sacrifice the convenience of AutoFill when you use KeePass on your Mac. If you choose the right KeePass client, you’ll get the benefits of owning your own data and save time by taking advantage of AutoFill. That’s one more reason not to use proprietary password management apps like 1Password.

Strongbox offers a comprehensive AutoFill solution that works across all major browsers on Mac (as well as on iPhone and iPad). KeePassXC is a free option that works across all major browsers except for Safari, with Auto-Type making it possible to still AutoFill in Safari with a few extra steps.

For more information, check our comprehensive guides on AutoFill, as well as how to AutoFill on your iPhone and iPad.