website/content/blog/2024-05-12-keepassxc-and-flatpak.md

5.3 KiB
Raw Blame History

+++ title = "KeePassXC from flatpak" date = 2024-05-12 [taxonomies] tags = ["linux"] categories = ["apps", "os"] +++

Table of Contents

  1. KeePassXC from flatpak
  2. Allow access to the socket file
  3. keepassxc-proxy
  4. Configure Chrome
  5. Configure Brave
  6. Configure Firefox
  7. references

KeePassXC from flatpak

More and more browsers are coming packaged in containers like flatpak or snaps. Especially the ones of the chromium variety.

Since browsers are at the best of times scary things with arbitrary code being executed in every webpage runnning them in a sandbox makes a lot of sense.

However the sandbox also impacts communication with helpers like the password manager KeepassXC.

In order to keep things reproducible on many machines, if we're going to fight with flatpak we might as well run keepassxc as a flatpak.

$ flatpak install org.keepassxc.KeePassXC

Allow access to the socket file

Allow read-only access to the keepassxc socket at $XDGRUNTIMEDIR/org.keepassxc.KeePassXC.BrowserServer:ro :

$ flatpak override --user \
  --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro \
  com.google.Chrome

this needs to be done for each flatpak application needing access to keepassxc.

keepassxc-proxy

There is a statically compiled rust based socket proxy.

  • rust based keepassxc proxy

    It can be compiled with MUSL for a fully static executable.

    Place it together with the configuration file

Configure Chrome

The Chrome flatpak can be configured in the folder *~/.var/app/com.google.Chrome :

 ls .var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts 
keepassxc-proxy  org.keepassxc.keepassxc_browser.json

the native messaging config file needs to be configured for the local user:

{
    "allowed_origins": [
        "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
        "chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/home/pti/.var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts/keepassxc-proxy",
    "type": "stdio"
}

and do not forget to give access to the socket

$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.google.Chrome

Notes;

  • the path field needs to contain the full path including the username AFAICT.
  • The extension id can be stolen from the URL box when going into the settings pane of the extension. It has changed in the past.

Configure Brave

we need again an org.keepassxc.keepassxcbrowser.json file in ~/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/ folder together with an executable version of the proxy compiled above.

{
    "allowed_origins": [
        "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
        "chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/home/pti/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/keepassxc-proxy",
    "type": "stdio"
}

You can copy it from the Google Chrome config but do not forget to update the path to the proxy.

Now we still need to give access to brave to the keepassxc socket:

$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.brave.Browser

Configure Firefox

I have firefox running native on my laptop so these shenanigans are not needed. However the example I based most of was for firefox so I assume it works similar. Note that the native messaging file is different for firefox.

{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support, workaround for flatpaked Firefox, see https://is.gd/flatpakFirefoxKPXC",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/home/pti/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/keepassxc-proxy",
    "type": "stdio"
}

it uses allowedextensions iso allowedorigin

And give access to the socker file to firefox

$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro org.mozilla.firefox

references