iOS doesn't support Yubikey Challenge-Response for 2FA on Keepass files.

A workaround to be able to open Yubikey protected databases can be found in: https://github.com/keepassxreboot/keepassxc/issues/1734 which shows how to create a pre-computed key file:

CHALLENGE_RESPONSE_KEY=
DATABASE_FILE=/tmp/passwords.kdbx
KEY_FILE=/tmp/passwords.key
xxd -p -c 33 -s 0xc5 -l 32 "$DATABASE_FILE" | xxd -r -p | openssl dgst -sha1 -hmac "$(echo -n "$CHALLENGE_RESPONSE_KEY" | xxd -r -p)" | cut -c 10- | xxd -r -p > "$KEY_FILE"

Unfortunately each time the database is changed this key file needs to be regenerated and imported into iOS.

It might be useful to add an Advanced Unlock option that takes the Challenge-Response secret and password and computes the key on the fly, avoiding the need for manual steps.

Hi, i just ended my trial early and registered both the iOS and macOS versions, as I'm super happy with everything so far - thanks!

My issue is regarding iOS autofill using a keepass db. Let's say i try to log into github. The keyboard shows an entry is available and prompts me to use the right one. I click it, then go through the TouchID prompt. Then it shows a spinner, and then just returns to the login page without entering anything in either the user or pw fields. It just continues to show an entry an available, but the cycle will just repeat without success if i keep trying. I'm logged into the db in a separate strongbox app window while doing this. The db is in readonly mode.

I know there's a faq entry about autofill crashing due to apple resource limitations, but I thought some issues i read suggested it should work now. Also, I have a friend who uses 1password with a database with at least 3+ times as many entries as mine, and his works just fine.

So, should mine be working now and this is an unexpected crash, or are there still expected crashes due to apple constraints combined with certain keepass db characteristics?

If it's really resource limitations set by apple, where are those documented? How is 1password likely working within them successfully for similar functionality? I miss my keepass keyboard on android, and autofill seems like the best alternative on iOS, given custom keyboard limitations.

I have configured my Raspberry pi so that it can be accessed via Sftp, which also works with other apps. Here, however, do I get the same error message every time?!

so I have encountered this twice recently. I created a new entry in app that I need to create password for. Mechanics are pretty basic:

1-Open app - need to sign in or sign up 2-on sign in screen tap field for username to get "Passwords" option form QuickType 3-Tap Create new entry - give it a name user name and auto gen password 4-Tap save 5-Now click sign up 6-fields don't normally show Quicktype for whatever reason...annoying, but I digress. I switch over to Strongbox top copy password 7-Search for entry....no entry....

Not sure if this Strongbox or limitation of Autofill/QuickType feature. Wonder if this is why some app use Share extensions instead. It's as though the entry is in memory, but never gets written out to the file.

In 1.42.0 for iOS there is a new bug. After starting the app I always get an error that Face ID unlock has failed or was cancelled and the blue Strongbox screen occurs. After cancelling the master password prompt and opening the database again Face ID works until the next app launch.

KeePass sync involves comparing the database before writing changes back to it. Comparing records by UUID and timestamp, and then taking the latest entry, and moving the older staler entry to History. This allows for multiple editors to work on the Database and avoid sync conflicts.

It would involve comparing the XML documents, and so applies only to KeePass 2 Databases. It also depends on the History feature which needs to be implemented separately. More info:

https://keepass.info/help/v2/sync.html

If you rename or delete a database in Strongbox the changes aren't visible in the database view for auto fill. You still see the old database names and you can also access databases that have been deleted.

@mmcguill I'll send you a video of this issue by mail.

A password protection (TouchID/FaceID) for the app would be great to protect the locally stored data or the configurations for the cloud data within Strongbox. With a configurable number of failed attempts to open the app, the local data or configurations will be deleted.

KeePass has an option to find duplicate passwords in your DB. It groups the entries with the same password by the password.

I'm using it right now to try to finish them off and make every password unique finally.

It's probably something every password manager should have.

Hi there,

I'm getting this error multiple times a day. I've enabled the Quick launch & App lock: coalesce biometrics setting, and what happens is, i open the app and the first FaceID succeeds, then the quick launch database is automatically opened and i immediately see a second FaceID check which fails with this error message.

Then, it asks me to manually enter the database password, and i click cancel. I click the database again, see FaceID again, and now it succeeds.

The way i understand the setting, the second FaceID check should not even be happening?

When this error happens, if i then close the app, lock the device, and then unlock the device, and open Strongbox again, i can no longer reproduce it: now i can open the app and the quick launch database will automatically open and it will only ask for the FaceID 1 time.

This is happening on both the latest iOS and iPadOS beta's by the way, not sure if that's related.

Strongbox Pro 1.53.0

iOS 15.0 beta6 iPadOS 15.0 beta6 iPhone 12 Pro iPad Pro 12.9

Hello,

I read an interesting idea at the Keepass Forum (sourceforge) and wanted to share it here & +1 it:

Only a small thing: i used the favicon downloader for my windows keepass. In the app the favicons looks terrible. Is that a app or a resolution problem? Could you include a possibility to change or even mass download favicons, if a url is provided in the entry?

1. Create a new account entry
2. Set up passwords and username et al as needed.
3. Press Commit (not commit and close)

There's now no obvious way to close the dialog. In fact, one has to press "cancel" but "Cancel" does not mean close. Cancel is assumed to mean cancel the operation — that is, don't create the entry.

Either give the dialog a close button or better yet a platform appropriate close icon on the window or both.

What is the seed of the challenge-response implementation of Strongbox? As I tested, if I update the database using StrongBox, I can still use the old response + master pass to decrypt the latest database(using KeeWeb); this is not expected; KeeWeb's implementation regenerates the response codes after each saving.

Is there any doc about the KeeChallenge implementation? Can StrongBox provide a way to rotate the challenge-response code?

Currently we can add only one TOTP per entry. It would be nice if we could add multiple TOTP codes for an entry. There are websites that requires this. For example kraken.com (crypto exchange website) uses several TOTP. One for founding, another for sign-in, yet another for trading and a 4th one for API key management

Strongbox recognizes ; as a tag separator (in line with the available informal KDBX specs).

The issue is that despite the spec, some clients (notably KeePassXC and keepassxc-cli) are saving tags with comma , separators. Opening such database in Strongbox results in a single concatenated tag for each entry, which is not usable: vs the expected:

Other clients resolve this by recognizing multiple tag separators:

• KeePass/keepass2android, MacPass/IOSKeePass, KeePassDX: ,, ;.
• KeePassXC, KeeWeb: ,, ; and :.

I wonder if Strongbox would be willing to also accept at least , (comma) for better tag interoperability with other clients?

Hello!

In iOS - When one creates a new entry from a create account screen (for example when signing up to a forum), it should be possible to change the password type (diceware, normal password - length etc) rather than having to exit the screen and manually changing it in the app when one realises you have the wrong type as default in the main app.

I can’t see this as an option. Am I missing something?

cheers. M