Create a Secure Web Based Password Vault with Keepass Web 🌱

  1. Log into the Debian device
  2. Run the following commands in a terminal:
    # update repositories and install any available software updates
    sudo apt update
    sudo apt upgrade
    # install apache2
    sudo apt install apache2
    # download and extract keepass web
    wget https://github.com/keeweb/keeweb/archive/gh-pages.zip
    sudo unzip gh-pages.zip -d /var/www/html/
    sudo mv /var/www/html/keeweb-gh-pages /var/www/html/keepass
    # create webdav directory and set permissions
    sudo mkdir /var/www/html/webdav
    sudo chown -R www-data:www-data /var/www/html/webdav
    # change permissions on the newly setup application folder
    sudo chown -R www-data:www-data /var/www/html/keepass
    # create a new keepass.conf file to configure the site
    sudo nano /etc/apache2/sites-available/keepass.conf
  3. Paste the following directives into keepass.conf

    DavLockDB "/var/www/html/webdav/DavLock"
      <Location /keepass >
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} OPTIONS
      RewriteRule ^(.*)$ blank.html [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
      # Don't require LDAP authentication for a healthcheck
      SetEnvIf Request_URI "^/healhcheck" accessgranted=1
        Order deny,allow
        Satisfy any
        Deny from all
        Allow from env=accessgranted
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://i12bretro.local:389/DC=i12bretro,DC=local?sAMAccountName?sub?(objectClass=user)" NONE
        AuthLDAPBindDN "readonly_svc@i12bretro.local"
        AuthLDAPBindPassword "Read0nly!!"
        AuthName "Restricted Area [i12bretro.local]"
        # to authenticate a domain group, specify the full DN
        AuthLDAPGroupAttributeIsDN on
        require ldap-group CN=WebAuthAccess,CN=Users,DC=i12bretro,DC=local
      </Location>  
      <Location "/webdav">
        DAV On
        AuthType "Basic"
        AuthName "webdav"
        Options Indexes
        Header always set Access-Control-Allow-Origin "*"
        Header always set Access-Control-Allow-Headers "origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite"
        Header always set Access-Control-Expose-Headers "ETag"
        Header always set Access-Control-Allow-Methods "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK"
        Header always set Access-Control-Allow-Credentials "true"
      </Location>

  4. Edit the index.html file and modify the kw-config meta tag, setting the value to config.json
    #
    sudo nano /var/www/html/keepass/index.html
  5. Press CTRL+O, Enter, CTRL+X to write the changes to index.html
  6. Create and edit config.json to by running the following command:
    sudo nano /var/www/html/keepass/config.json
  7. Paste the following in to config.json

    {
        "settings": {
            "theme": "fb",
            "autoSave": true,
            "autoSaveInterval": 1,
            "canOpenDemo": false,
            "dropbox": false,
            "gdrive": false,
            "onedrive": false,
            "canExportXml": true
        },
        "files": [{
            "storage": "webdav",
            "name": "Database",
            "path": "/webdav/database.kdbx"
        }]
    }

  8. Press CTRL+O, Enter, CTRL+X to write the changes to config.json
  9. Continue by executing the following commands in terminal:
    # enable the keepass site and required Apache modules
    sudo a2ensite keepass
    sudo a2enmod dav dav_fs ldap authnz_ldap rewrite headers
    # restart apache2 service for the changes to take effect
    sudo systemctl restart apache2
  10. Open a web browser and navigate to http://DNSorIP/keepass
  11. Authenticate with a valid LDAP user account
  12. Click the New icon
  13. Click the New link in the lower left hand corner
  14. Enter a Master password and re-type it to confirm
  15. Enter a Name for the keepass database
  16. Click the Save to... button > File
  17. Save the database to ~/database.kdbx
  18. Close the browser
  19. Continue by executing the following commands in terminal:
    # copy the keepass database to webdav directory
    sudo mv ~/database.kdbx /var/www/html/webdav/
  20. Open a web browser and navigate to http://DNSorIP/keepass
  21. Enter the master password created earlier
  22. Enjoy your web based keepass editor