KeePassXC from flatpak
Table of Contents
- KeePassXC from flatpak
- Allow access to the socket file
- keepassxc-proxy
- Configure Chrome
- Configure Brave
- Configure Firefox
- references
KeePassXC from flatpak
More and more browsers are coming packaged in containers like flatpak or snaps. Especially the ones of the chromium variety.
Since browsers are at the best of times scary things with arbitrary code being executed in every webpage runnning them in a sandbox makes a lot of sense.
However the sandbox also impacts communication with helpers like the password manager KeepassXC.
In order to keep things reproducible on many machines, if we're going to fight with flatpak we might as well run keepassxc as a flatpak.
$ flatpak install org.keepassxc.KeePassXC
Allow access to the socket file
Allow read-only access to the keepassxc socket at $XDGRUNTIMEDIR/org.keepassxc.KeePassXC.BrowserServer:ro :
$ flatpak override --user \
--filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro \
com.google.Chrome
this needs to be done for each flatpak application needing access to keepassxc.
keepassxc-proxy
There is a statically compiled rust based socket proxy.
-
It can be compiled with MUSL for a fully static executable.
Place it together with the configuration file
Configure Chrome
The Chrome flatpak can be configured in the folder *~/.var/app/com.google.Chrome :
❯ ls .var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts
keepassxc-proxy org.keepassxc.keepassxc_browser.json
the native messaging config file needs to be configured for the local user:
{
"allowed_origins": [
"chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
"chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
],
"description": "KeePassXC integration with native messaging support",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/com.google.Chrome/config/google-chrome/NativeMessagingHosts/keepassxc-proxy",
"type": "stdio"
}
and do not forget to give access to the socket
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.google.Chrome
Notes;
- the path field needs to contain the full path including the username AFAICT.
- The extension id can be stolen from the URL box when going into the settings pane of the extension. It has changed in the past.
Configure Brave
we need again an org.keepassxc.keepassxcbrowser.json file in ~/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/ folder together with an executable version of the proxy compiled above.
{
"allowed_origins": [
"chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
"chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
],
"description": "KeePassXC integration with native messaging support",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/com.brave.Browser/config/BraveSoftware/Brave-Browser/NativeMessagingHosts/keepassxc-proxy",
"type": "stdio"
}
You can copy it from the Google Chrome config but do not forget to update the path to the proxy.
Now we still need to give access to brave to the keepassxc socket:
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro com.brave.Browser
Configure Firefox
I have firefox running native on my laptop so these shenanigans are not needed. However the example I based most of was for firefox so I assume it works similar. Note that the native messaging file is different for firefox.
{
"allowed_extensions": [
"keepassxc-browser@keepassxc.org"
],
"description": "KeePassXC integration with native messaging support, workaround for flatpaked Firefox, see https://is.gd/flatpakFirefoxKPXC",
"name": "org.keepassxc.keepassxc_browser",
"path": "/home/pti/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/keepassxc-proxy",
"type": "stdio"
}
it uses allowedextensions iso allowedorigin
And give access to the socker file to firefox
$ flatpak override --user --filesystem=xdg-run/app/org.keepassxc.KeePassXC:ro org.mozilla.firefox