This email was translated using machine translation. Please forgive us for any inaccuracies.
 

How to Create, Secure, and Share KeePass Password Vaults with Your Team

 

KeePass is the password application that Barry-Wehmiller has selected to ensure team member credentials are stored and managed safely and in alignment with industry best practices and BW’s IT Acceptable Use Policy.

KeePass can also be used as a shared credential vault for groups or teams that need to maintain secure access to critical credentials. This document will describe how to create, deploy and access shared KeePass credential vaults.

 

Step One – Create a new KeePass credential vault file

In KeePass, the ability to create a new credential database is built into the standard KeePass client. Within the client software, open the File menu and select “New.” You will see a prompt advising you of best practices for newly created password database files. Click “OK” on the dialogue.

Then, name the file and save it to your regular documents’ location.

 

The program will then prompt you to set a new master passphrase. It is important that the passphrase includes enough characters and complexity to push the estimated quality indicator bar into the green range as seen below. Re-enter the passphrase again in the “Repeat password:” field. When the passwords match, you’ll be able to click “OK.”

 
 

Next you will be presented with a dialog to set technical parameters of the new password vault. In the General tab enter a database name, and a description of the credentials that will be stored. You may also set a default username for new entries, this is not required, and for shared databases is not frequently useful. Some team members may open multiple password vaults at the same time. Setting a custom database background color can assist in identifying when the desired password database is active. 

 
 

The only other critical setting is in the “Security” tab. Please ensure that you click the option for “1 Second Delay” near the bottom of this dialogue. This ensures that the database is configured with additional cryptographic protection. Once this option is selected click “OK”.

 
 

The database creation process is now complete, and the file is saved to the location you’ve specified. The dialogue to create an emergency sheet will be displayed next, you should complete this sheet, writing down the passphrase exactly as it was entered and noting the MS Teams site or SharePoint site as the backup location where the file is stored in the next step.

 
 

Step Two – Upload the file to an MS Teams or SharePoint site for group access

 

Select a Microsoft Teams or SharePoint site that all team members who need access to the KeePass credential file can access. The security of the KeePass database is maintained in two ways:

  1. Access to the file location in Teams or SharePoint should be granted only to individuals intended to use the vault; 
  2. The master password should be shared only with team members who require access. If you need help verifying permissions for a Teams or SharePoint site, open a Kace ticket with the service desk by emailing itsupport@barry-wehmiller.com.

 

It’s recommended that you create a dedicated folder within the site’s document library specifically for a single group’s shared KeePass database file(s). Once the appropriate location is selected, upload the KeePass file by selecting Upload from the menu bar, choosing Files, selecting the file created earlier, and clicking Open.

The next step is to configure file syncing of this directory to your PC. The “Sync” menu may be visible in the menu bar at the top of the page, or it may be hidden in the “…” menu, depending on your screen resolution. Access the Sync menu as seen here.

 

Once complete you will receive a confirmation that looks like this: 

 

After a few seconds the directory will synchronize to your computer’s local storage drive, and you will be able to access it in the File Manager as seen here. 

 

To ensure that you will always have access to the shared KeePass Credential database file, even if your computer is disconnected from the internet set the file to “Always keep on this device” by right-clicking on the file name.  

 

You will notice that the cloud status icon changes from a blue cloud to a solid green circle with a white check mark

 

In other words, before selecting “Always keep on this device” - notice the status symbol is a small blue cloud. 

After setting the file to “Always keep on this device” - notice the status is a green circle with a white check. 

This means that the cloud hosted copy of the file is synchronized with a local copy held on your computer’s storage drive. If you are disconnected from a network with internet access, you’ll still have access to the file on this PC. 

 

Important Note - If you make any changes to credentials stored within the vault while you are offline, the next time you access KeePass you’ll be asked to synchronize your changes with the current version of the file, discard your file or overwrite the existing file with your changes. When prompted with this dialogue it is important to always choose to synchronize the credential database.

 

Step Three – Sharing the credential vault with other team members

Share these instructions with your team members.

With the credential file database created, and stored in a shared location, you are now ready to notify the intended team that the credential database is available for them to use. They’ll need to know where the file is stored, and what the master passphrase is to access the encrypted file. An easy method to share this location is to select the three dot “More Actions” menu next to the name of the folder in MS Teams or SharePoint that was created earlier and selecting the option to “Copy link” from the pop-up menu. 

With the link copied you may send an email or teams message to those team members that require access to the shared credential database. Each team member will need to click on the provided link, and select the “Sync” option which you as the creator of the file have already done.  

Team members will need the master password to access and make changes to the shared KeePass database. This password should always be communicated separately from the file location. Sharing the passphrase verbally—such as during a Microsoft Teams meeting or by phone—is more secure than sending it by email or Teams chat, where it could be exposed in plain text.

 

Team members accessing the shared KeePass file should follow the same instructions in Step Two to set the file to Always keep on this device. They should also be reminded to always select Synchronize if prompted to discard, synchronize, or overwrite changes to the database.

 

For added convenience and security, team members are encouraged to store the master passphrases for shared KeePass databases in their individual KeePass vault. Creating a group for shared credentials is a recommended best practice, especially for those who access multiple shared databases.

View Archive
Copyright © Barry-Wehmiller Companies