====== Keepass synchronisation on macOS with pCloud ======

Some basic info on my workflow.


===== Database settings =====

My ''*.kdbx'' v4.0 database settings are as follows:

  * Encryption:
    * **Algorithm = AES Rijndale** – ChaCha20 [[https://www.reddit.com/r/crypto/comments/85jdsf/comment/dvxui18/|might be bad in some situations]] and Twofish [[https://www.reddit.com/r/KeePass/comments/10pdsrq/comment/j6kpwlc/|is prone to side-channel attack]].
  * Key derivation:
    * **Algorithm = Argon2d** – AES is [[https://keepass.info/help/kb/kdbx_4.html#argon2|not that good]] because its memory requirements are low (and memory is the limiting factor in GPU/ASIC attacks). Argon2id [[https://keepass.info/help/base/security.html#secdictprotect|is not recommended by KeePass developer]].
    * **Memory = 64MB** – this should theoretically be set as high as possible, because the memory is now the limiting factor, not iterations. From this point of view, 1GB would be ideal – KeePass developer [[https://keepass.info/help/base/security.html#secdictprotect|recommends]] setting it to half the lowest RAM any of your devices has. But if you use Autofill, there are [[https://keepassium.com/articles/autofill-memory-limits/|memory limits]] which will probably force you to set it to 64MB or perhaps 128MB.
    * **Iterations = 20** – decryption should take a while, this makes it around 1–2s on my devices.
    * **Threads (Parallelism) = 2** – this should be [[https://sourceforge.net/p/keepass/discussion/329220/thread/eb5cf70b/#3215|the lowest number of cores/threads]] any of your devices has, because it does not limit the attacker, only speeds up things for you.
Note that there are also some recommended settings in [[https://www.rfc-editor.org/rfc/rfc9106#name-parameter-choice|the official RFC for Argon2]].


===== Apps used & Apps tried =====

I am using Keepass ''.kdbx'' database (version 4.0) and pCloud provider for synchronisation.

==== Windows ====
  ; [[https://keepass.info/|KeePass]] ✅
  : THE original. There's no real reason for using anything else.

==== macOS ====
  ; [[https://macpassapp.org/|MacPass]] ✅
  : In my opinion, the very best solution. Native app with many nice features, supports everything KeePassXC does, and it has a 1/10th of its size and launches blazingly fast. And its open-source. Yay!
  ; [[https://keepassxc.org/|KeePassXC]]
  : Cross-platform solution I did use for a long time. Very good one, but – it is not a native macOS app and you will feel it time to time.
  ; [[https://strongboxsafe.com/|Strongbox]]
  : I did not personally test it, but it was mentioned multiple times in [[https://www.reddit.com/r/KeePass/comments/16gphwa/which_is_the_best_keepass_app_for_macos/|this reddit thread]], so it might be worth trying. From the screenshots, it //looks better// than MacPass, but I like the open-source feature of MacPass.

==== iOS ====
  ; [[https://keepassium.com/|KeePassium]] ✅
  : Simply the best. Perfect, open-source and even free for majority of "home" uses.
  ; <del>[[https://www.kyuran.be/software/kypass/|KyPass]]</del>
  : I have been using this app before for quite some time, but with every new major version number of the app, the developer creates a completely new app ID, thus forcing you to buy it again and again (because he removes the previous app versions from AppStore). After three different versions bought, I gave up. Also, from the design point of view, it really //feels crappy//.


===== Setting up KeePassium for cloud-shared password database =====

To connect KeePassium with your database, you have basically two options:
  * **Native connection via //Files// app**: KeePassium supports [[https://keepassium.com/articles/supported-sync-sources/|many sync sources]] through integration of cloud services under "Locations" in iOS ''Files'' app (and pCloud is [[https://keepassium.com/articles/sync-ios-keepass-with-pcloud/|fully supported]])
  * **Connection through WebDAV**: This is a slightly [[https://keepassium.com/articles/sync-ios-keepass-with-webdav/|more technical solution]], but it works.

==== WebDAV connection to pCloud-shared database ====
To connect KeePassium with my database, I use WebDAV connection to my pCloud storage. The native integration of cloud services under "Locations" in iOS ''Files'' app was causing me problems: after each database save in KeePassXC, KeePassium could not find the file.((As I realised later, this has a simple solution [[https://keepassium.com/articles/sync-ios-keepass-with-pcloud/#modify-missing|documented there]], but in the meantime, I started using MacPass together with WebDAV-synced KeePassium, so this was no longer an issue for me.))

To set up a WebDAV database in KeePassium, you have to provide the URL and your credentials. For pCloud, the WebDAV URL depends on your [[https://www.pcloud.com/data-regions/|data region]] – the [[https://support.enpass.io/app/sync/kb/connecting_a_vault_with_pcloud_using_webdav_in_enpass.htm|host is]]:
  * either ''webdav.pcloud.com'' (for US),
  * or ''ewebdav.pcloud.com'' (for EU).

The full URL then is the following:

  https://webdav.pcloud.com:443/<path>/<to>/<database>/<folder>

Note that **//the URL has to be the folder containing the database, not the full path to the database itself//** – otherwise, you will see an error: The folder is empty.

Interesting thing is that you can test both your credentials and whether the URL to the folder with the database is correct by typing the address in your browser. For example, try
  https://webdav.pcloud.com:443/
to directly open and display the folder listing.


~~socialite~~


===== Comments =====

~~DISQUS~~