- Notifications
You must be signed in to change notification settings - Fork1.1k
Free cross-platform password manager compatible with KeePass
License
keeweb/keeweb
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
KeeWeb is a browser and desktop password manager which is capable of opening up existing KeePass database `kdbx` files, or creating new vaults to store your important credentials in.
KeeWeb is a password manager which supports managingkdbx
files created by other applications such as KeePass, KeePassXC, etc. You choose the platform you wish to run; as KeeWeb supports being installed and ran as either a Desktop application, or in your web-browser.
With support for Linux, Windows, and MacOS, we give you the tools to seamlessly manage your most important credentials across multiple applications and platforms.
Decide how you want to save your credential vault, KeeWeb supports saving your database as a local file, or you can store your password vault with some of the most popular cloud services such as Dropbox, Google Drive, and Microsoft OneDrive.
Review some of our most important links below to learn more about KeeWeb and who we are:
Topic | Links | Description |
---|---|---|
Apps | Web,Desktop | Try out our application |
Demos | Web,Beta | Test our stable and beta releases of Keeweb |
Services | Favicon Grabber | Services integrated within Keeweb |
Branches | docker/alpine-base,docker/keeweb | Important branches related to our project |
Timeline | Release Notes,TODO | See what we're planning |
On one page | Features,FAQ | Information about Keeweb development |
Website | keeweb.info | Visit our official website |
Social | kee_web | Check us out on our social media |
Donate | OpenCollective,GitHub | Help keep us going |
Want to self-host your copy of KeeWeb? Everything you need to host this app on your server is provided within the package. KeeWeb itself is a single HTML file combined with a service worker (optionally; for offline access).
You can download the latest distribution files fromgh-pages branch.
If you wish to host Keeweb within a Docker container, we provide pre-built images that you can pull into your environment. This section explains how to run Keeweb usingdocker run
, or by setting up adocker-compose.yml
file.
Note
For a full set of Docker instructions, visit ourdocker/keeweb readme
Use any of the following images in your📄 docker-compose.yml
orrun
command:
If you wish to usedocker run
; use the following command:
docker run -d --restart=unless-stopped -p 443:443 --name keeweb -v${PWD}/keeweb:/config ghcr.io/keeweb/keeweb:latest
For users wishing to usedocker compose
, create a newdocker-compose.yml
with the following:
services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest # Dockerhub imagerestart:unless-stoppedvolumes: -./keeweb:/configenvironment: -PUID=1000 -PGID=1000 -TZ=Etc/UTC
You can put this container behind Traefik if you want to use a reverse proxy and let Traefik handle the SSL certificate management.
Note
These steps areoptional.
If you do not use Traefik, you can skip this section of steps. This is only for users who wish to put this container behind Traefik.
If you do not wish to use Traefik, remember that if you make your Keeweb container public facing, you will need to utilize a service such ascertbot/lets encrypt to generate SSL certificates.
Our first step is to tell Traefik about our Keeweb container. We highly recommend you utilize a Traefikdynamic file, instead oflabels. Using a dynamic file allows for automatic refreshing without the need to restart Traefik when a change is made.
If you decide to uselabels instead of adynamic file, any changes you want to make to your labels will require a restart of Traefik.
We will be setting up the following:
- A
middleware
to re-direct http to https - A
route
to access Keeweb via http (optional) - A
route
to access Keeweb via https (secure) - A
service
to tell Traefik how to access your Keeweb container - A
resolver
so that Traefik can generate and apply a wildcard SSL certificate
To add Keeweb to Traefik, you will need to open yourdocker-compose.yml
and apply the following labels to your Keeweb container. Ensure you changedomain.lan
to your actual domain name.
services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest # Dockerhub imagerestart:unless-stoppedvolumes: -./keeweb:/configenvironment: -PUID=1000 -PGID=1000 -TZ=Etc/UTClabels:# General -traefik.enable=true# Router > http -traefik.http.routers.keeweb-http.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`) -traefik.http.routers.keeweb-http.service=keeweb -traefik.http.routers.keeweb-http.entrypoints=http -traefik.http.routers.keeweb-http.middlewares=https-redirect@file# Router > https -traefik.http.routers.keeweb-https.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`) -traefik.http.routers.keeweb-https.service=keeweb -traefik.http.routers.keeweb-https.entrypoints=https -traefik.http.routers.keeweb-https.tls=true -traefik.http.routers.keeweb-https.tls.certresolver=cloudflare -traefik.http.routers.keeweb-https.tls.domains[0].main=domain.lan -traefik.http.routers.keeweb-https.tls.domains[0].sans=*.domain.lan# Load Balancer -traefik.http.services.keeweb.loadbalancer.server.port=443 -traefik.http.services.keeweb.loadbalancer.server.scheme=https
After you've added the labels above, skip thedynamic.yml section and go straight to thestatic.yml section.
If you decide to not uselabels and want to use a dynamic file, you will first need to create your dynamic file. the Traefik dynamic file is usually nameddynamic.yml
. We need to add a newmiddleware
,router
, andservice
to our Traefik dynamic file so that it knows about our new Keeweb container and where it is.
http:middlewares:https-redirect:redirectScheme:scheme:"https"permanent:truerouters:keeweb-http:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints: -httpmiddlewares: -https-redirect@filekeeweb-https:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints: -httpstls:certResolver:cloudflaredomains: -main:"domain.lan"sans: -"*.domain.lan"services:keeweb:loadBalancer:servers: -url:"https://keeweb:443"
These entries will go in your Traefikstatic.yml
file. Any changes made to this file requires that you restart Traefik afterward.
Note
This step is only for users who opted to use thedynamic file method.
Users who opted to uselabels can skip to the sectioncertificatesResolvers
Ensure you add the following new section to yourstatic.yml
:
providers:docker:endpoint:"unix:///var/run/docker.sock"exposedByDefault:falsenetwork:traefikwatch:truefile:filename:"/etc/traefik/dynamic.yml"watch:true
The code above is what enables the use of adynamic file instead of labels. Change/etc/traefik/dynamic.yml
if you are placing your dynamic file in a different location. This path is relative to inside the container, not your host machine mounted volume path. Traefik keeps most files in the/etc/traefik/
folder.
After you add the above, open your Traefik'sdocker-compose.yml
file and mount a new volume so that Traefik knows where your new dynamic file is:
traefik:container_name:traefikimage:traefik:latestrestart:unless-stoppedvolumes: -/var/run/docker.sock:/var/run/docker.sock:ro -/etc/localtime:/etc/localtime:ro -./config/traefik.yml:/etc/traefik/traefik.yml:ro -./config/dynamic.yml:/etc/traefik/dynamic.yml:ro
You must ensure you add a new volume like shown above:
/config/dynamic.yml:/etc/traefik/dynamic.yml:ro
On your host machine, make sure you place thedynamic.yml
file in a sub-folder calledconfig, which should be inside the same folder where your Traefik'sdocker-compose.yml
file is. If you want to change this location, ensure you change the mounted volume path above.
After you have completed this, proceed to the sectioncertificatesResolvers.
Note
This step is required no matter which option you picked above, both fordynamic file setups, as well as people usinglabels.
Open your Traefikstatic.yml
file. We need to define thecertResolver
that we added above either in your dynamic file, or label. To define thecertResolver
, we will be adding a new section labeledcertificatesResolvers
. We are going to use Cloudflare in this example, you can use whatever from the list at:
certificatesResolvers:cloudflare:acme:email:youremail@address.comstorage:/cloudflare/acme.jsonkeyType:EC256preferredChain:'ISRG Root X1'dnsChallenge:provider:cloudflaredelayBeforeCheck:15resolvers: -"1.1.1.1:53" -"1.0.0.1:53"disablePropagationCheck:true
Once you pick the DNS / SSL provider you want to use from the code above, you need to see if that provider has any special environment variables that must be set. TheProviders Page lists all providers and also what env variables need set for each one.
In our example, since we are usingCloudflare fordnsChallenge
->provider
, we must set the following environment variables:
CF_API_EMAIL
CF_API_KEY
Create a.env
environment file in the same folder where your Traefikdocker-compose.yml
file is located, and add the following:
CF_API_EMAIL=yourcloudflare@email.comCF_API_KEY=Your-Cloudflare-API-Key
Save the.env
file and exit. For these environment variables to be detected by Traefik, you must give your Traefik container a restart. Until you restart Traefik, it will not be able to generate your new SSL certificates.
You can wait and restart in a moment after you finish editing thestatic.yml
file, as there are more items to add below.
Finally, inside the Traefikstatic.yml
, we need to make sure we have ourentryPoints
configured. Add the following to the Traefikstatic.yml
file only if youDON'T have entry points set yet:
entryPoints:http:address::80http:redirections:entryPoint:to:httpsscheme:httpshttps:address::443http3:{}http:tls:options:defaultcertResolver:cloudflaredomains: -main:domain.lansans: -'*.domain.lan'
If your website is behind Cloudflare's proxy service, you need to modify yourentryPoints
above so that you can automatically allow Cloudflare's IP addresses through. This means your entry points will look a bit different.
In the example below, we will addforwardedHeaders
->trustedIPs
and add all of Cloudflare's IPs to the list which are available here:
http:address::80forwardedHeaders:trustedIPs:&trustedIps -103.21.244.0/22 -103.22.200.0/22 -103.31.4.0/22 -104.16.0.0/13 -104.24.0.0/14 -108.162.192.0/18 -131.0.72.0/22 -141.101.64.0/18 -162.158.0.0/15 -172.64.0.0/13 -173.245.48.0/20 -188.114.96.0/20 -190.93.240.0/20 -197.234.240.0/22 -198.41.128.0/17 -2400:cb00::/32 -2606:4700::/32 -2803:f800::/32 -2405:b500::/32 -2405:8100::/32 -2a06:98c0::/29 -2c0f:f248::/32http:redirections:entryPoint:to:httpsscheme:httpshttps:address::443http3:{}forwardedHeaders:trustedIPs:*trustedIpshttp:tls:options:defaultcertResolver:cloudflaredomains: -main:domain.lansans: -'*.domain.lan'
Save the files and then give Traefik and your Keeweb containers a restart.
This section will not explain how to install and set upAuthentik. We are only going to cover adding Keeweb integration to Authentik.
Sign into the Authentik admin panel, go to the left-side navigation, selectApplications ->Providers. Then at the top of the new page, clickCreate.
For theprovider, selectProxy Provider
.
Add the following provider values:
- Name:
Keeweb ForwardAuth
- Authentication Flow:
default-source-authentication (Welcome to authentik!)
- Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
SelectForward Auth (single application):
- External Host:
https://keeweb.domain.lan
Once finished, clickCreate. Then on the left-side menu, selectApplications ->Applications. Then at the top of the new page, clickCreate.
Add the following parameters:
- Name:
Keeweb (Password Manager)
- Slug:
keeweb
- Group:
Security
- Provider:
Keeweb ForwardAuth
- Backchannel Providers:
None
- Policy Engine Mode:
any
Save, and then on the left-side menu, selectApplications ->Outposts:
Find yourOutpost and edit it.
MoveKeeweb (Password Manager)
to the right sideSelected Applications box.
If you followed ourTraefik guide above, you were shown how to add your Keeweb container to Traefik using either thedynamic file orlabels. Depending on which option you picked, follow that section's guide below.
- Forlabel users, go to the sectionLabels below.
- Fordynamic file users, go to the sectionDynamic File below.
Open your Keeweb'sdocker-compose.yml
and modify your labels to include Authentik as amiddleware by addingauthentik@file
to the labeltraefik.http.routers.keeweb-https.middlewares
. You should have something similar to the example below:
services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest # Dockerhub imagerestart:unless-stoppedvolumes: -./keeweb:/configenvironment: -PUID=1000 -PGID=1000 -TZ=Etc/UTClabels:# General -traefik.enable=true# Router > http -traefik.http.routers.keeweb-http.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`) -traefik.http.routers.keeweb-http.service=keeweb -traefik.http.routers.keeweb-http.entrypoints=http -traefik.http.routers.keeweb-http.middlewares=https-redirect@file# Router > https -traefik.http.routers.keeweb-https.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`) -traefik.http.routers.keeweb-https.service=keeweb -traefik.http.routers.keeweb-https.entrypoints=https -traefik.http.routers.keeweb-https.middlewares=authentik@file -traefik.http.routers.keeweb-https.tls=true -traefik.http.routers.keeweb-https.tls.certresolver=cloudflare -traefik.http.routers.keeweb-https.tls.domains[0].main=domain.lan -traefik.http.routers.keeweb-https.tls.domains[0].sans=*.domain.lan# Load Balancer -traefik.http.services.keeweb.loadbalancer.server.port=443 -traefik.http.services.keeweb.loadbalancer.server.scheme=https
If you opted to use thedynamic file, open your Traefik'sdynamic.yml
file and apply theauthentik@file
middleware to look something like the following:
keeweb-https:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints: -httpsmiddlewares: -authentik@filetls:certResolver:cloudflaredomains: -main:"domain.lan"sans: -"*.domain.lan"
After you've done everything above, give yourTraefik andAuthentik containers a restart. Once they come back up; you should be able to accesskeeweb.domain.lan
and be prompted now to authenticate with Authentik. Once you authenticate, you should be re-directed to your Keeweb home screen which asks you to load a vault file.
This section outlines that environment variables can be specified, and which volumes you can mount when the container is started.
The following env variables can be modified before spinning up this container:
Env Var | Default | Description |
---|---|---|
PUID | 1000 | User ID running the container |
PGID | 1000 | Group ID running the container |
TZ | Etc/UTC | Timezone |
PORT_HTTP | 80 | Defines the HTTP port to run on |
PORT_HTTPS | 443 | Defines the HTTPS port to run on |
The following volumes can be mounted with this container:
Volume | Description |
---|---|
./keeweb:/config | Path which stores Keeweb, nginx configs, and optional SSL certificate/keys |
By mounting the volume above, you should now have access to the following folders:
Folder | Description |
---|---|
📁 keys | Responsible for storing your ssl certificatecert.crt + keycert.key |
📁 log | All nginx / container logs |
📁 nginx | Containsnginx.conf ,resolver.conf ,ssl.conf ,site-confs |
📁 www | Folder which stores the Keeweb files, images, and plugins |
To configure Dropbox support on your self-hosted setupview our Wiki page.
Note
Keeweb v1.19.0+ requires a minimum of Node v20.9.0 LTS in order to build.If you require multiple versions of node, you can installnvm
# install nvmwget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh| bash# install node 20nvm install 20# switch to node 20nvm use 20
The easiest way to clone all KeeWeb repos is:
curl https://raw.githubusercontent.com/keeweb/keeweb/develop/dev-env.sh| bash -
KeeWeb can be built utilizing thegrunt commandline. Each platform has multiple commands you can use; pick one:
You may build KeeWeb forWindows
by executing ONE of the following two commands provided:
grunt dev-desktop-win32 --skip-sign
npm run dev-desktop-windows
You may build KeeWeb forLinux
by executing ONE of the following two commands provided:
grunt dev-desktop-linux --skip-sign
npm run dev-desktop-linux
You may build KeeWeb forMacOS
by executing ONE of the following two commands provided:
grunt dev-desktop-darwin --skip-sign
npm run dev-desktop-macos
Once the build is complete, all (html files will be indist/
folder. To build KeeWeb, utilize the following commands below.
To run the desktop (electron) app without building an installer, build the app withgrunt
and then launch KeeWeb with one of the following commands:
npm run devnpm run electron
To debug your build:
- run
npm run dev
- open
http://localhost:8085
Once built, the output files will be generated intmp
:
KeeWeb is not free to develop. It takes time, requires paid code signing certificates and domains.
You can help the project or say "thank you" with this button:
You can also sponsor the developer directlyon GitHub.
Please note: donation does not imply any type of service contract.
We are always looking for contributors. If you feel that you can provide something useful to Keeweb or our other projects, then we'd love to review your suggestion. Before submitting your contribution, please review the following resources:
Want to help but can't write code?
- Reviewactive questions by our community and answer the ones you know.
Want to help but can't write code?
- Reviewactive questions by our community and answer the ones you know.
- Helptranslating KeeWeb
About
Free cross-platform password manager compatible with KeePass