keeweb/keewebPublic

NotificationsYou must be signed in to change notification settings
Fork1.1k
Star12.5k

Free cross-platform password manager compatible with KeePass

License

View license

12.5k stars 1.1k forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 3,903 Commits
.github		.github
app		app
build		build
desktop		desktop
docs/img		docs/img
graphics		graphics
img		img
package		package
plugins		plugins
test		test
util		util
.all-contributorsrc		.all-contributorsrc
.babelrc		.babelrc
.editorconfig		.editorconfig
.eslintrc		.eslintrc
.gitignore		.gitignore
.nvmrc		.nvmrc
.prettierrc		.prettierrc
CONTRIBUTING.md		CONTRIBUTING.md
DEPS-LICENSE		DEPS-LICENSE
Gruntfile.js		Gruntfile.js
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
dev-env.sh		dev-env.sh
grunt.entrypoints.js		grunt.entrypoints.js
grunt.tasks.js		grunt.tasks.js
jsconfig.json		jsconfig.json
package-lock.json		package-lock.json
package.json		package.json
postcss.config.js		postcss.config.js
release-notes.md		release-notes.md
webpack.config.js		webpack.config.js

Repository files navigation

Password Manager

KeeWeb Password Manager🔑

KeeWeb is a browser and desktop password manager which is capable of opening up existing KeePass database `kdbx` files, or creating new vaults to store your important credentials in.

About

KeeWeb is a password manager which supports managingkdbx files created by other applications such as KeePass, KeePassXC, etc. You choose the platform you wish to run; as KeeWeb supports being installed and ran as either a Desktop application, or in your web-browser.

With support for Linux, Windows, and MacOS, we give you the tools to seamlessly manage your most important credentials across multiple applications and platforms.

Decide how you want to save your credential vault, KeeWeb supports saving your database as a local file, or you can store your password vault with some of the most popular cloud services such as Dropbox, Google Drive, and Microsoft OneDrive.

Quick Links

Review some of our most important links below to learn more about KeeWeb and who we are:

Topic	Links	Description
Apps	Web,Desktop	Try out our application
Demos	Web,Beta	Test our stable and beta releases of Keeweb
Services	Favicon Grabber	Services integrated within Keeweb
Branches	docker/alpine-base,docker/keeweb	Important branches related to our project
Timeline	Release Notes,TODO	See what we're planning
On one page	Features,FAQ	Information about Keeweb development
Website	keeweb.info	Visit our official website
Social	kee_web	Check us out on our social media
Donate	OpenCollective,GitHub	Help keep us going

Self-hosting

Want to self-host your copy of KeeWeb? Everything you need to host this app on your server is provided within the package. KeeWeb itself is a single HTML file combined with a service worker (optionally; for offline access).

You can download the latest distribution files fromgh-pages branch.

Docker

If you wish to host Keeweb within a Docker container, we provide pre-built images that you can pull into your environment. This section explains how to run Keeweb usingdocker run, or by setting up adocker-compose.yml file.

Note

For a full set of Docker instructions, visit ourdocker/keeweb readme

Images

Use any of the following images in your📄 docker-compose.yml orrun command:

Service	Version	Image Link
`Docker Hub`		`🔖 keeweb/keeweb:latest` `🔖 keeweb/keeweb:1.19.0` `🔖 keeweb/keeweb:1.19.0-amd64` `🔖 keeweb/keeweb:1.19.0-arm64` `🔖 keeweb/keeweb:development` `🔖 keeweb/keeweb:development-amd64` `🔖 keeweb/keeweb:development-arm64`
`Github`		`🔖 ghcr.io/keeweb/keeweb:latest` `🔖 ghcr.io/keeweb/keeweb:1.19.0` `🔖 ghcr.io/keeweb/keeweb:1.19.0-amd64` `🔖 ghcr.io/keeweb/keeweb:1.19.0-arm64` `🔖 ghcr.io/keeweb/keeweb:development` `🔖 ghcr.io/keeweb/keeweb:development-amd64` `🔖 ghcr.io/keeweb/keeweb:development-arm64`

Docker Run

If you wish to usedocker run; use the following command:

docker run -d --restart=unless-stopped -p 443:443 --name keeweb -v${PWD}/keeweb:/config ghcr.io/keeweb/keeweb:latest

Docker Compose

For users wishing to usedocker compose, create a newdocker-compose.yml with the following:

services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest               # Dockerhub imagerestart:unless-stoppedvolumes:            -./keeweb:/configenvironment:            -PUID=1000            -PGID=1000            -TZ=Etc/UTC

Traefik Integration

You can put this container behind Traefik if you want to use a reverse proxy and let Traefik handle the SSL certificate management.

Note

These steps areoptional.

If you do not use Traefik, you can skip this section of steps. This is only for users who wish to put this container behind Traefik.

If you do not wish to use Traefik, remember that if you make your Keeweb container public facing, you will need to utilize a service such ascertbot/lets encrypt to generate SSL certificates.

Our first step is to tell Traefik about our Keeweb container. We highly recommend you utilize a Traefikdynamic file, instead oflabels. Using a dynamic file allows for automatic refreshing without the need to restart Traefik when a change is made.

If you decide to uselabels instead of adynamic file, any changes you want to make to your labels will require a restart of Traefik.

We will be setting up the following:

Amiddleware to re-direct http to https
Aroute to access Keeweb via http (optional)
Aroute to access Keeweb via https (secure)
Aservice to tell Traefik how to access your Keeweb container
Aresolver so that Traefik can generate and apply a wildcard SSL certificate

Labels

To add Keeweb to Traefik, you will need to open yourdocker-compose.yml and apply the following labels to your Keeweb container. Ensure you changedomain.lan to your actual domain name.

services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest               # Dockerhub imagerestart:unless-stoppedvolumes:            -./keeweb:/configenvironment:            -PUID=1000            -PGID=1000            -TZ=Etc/UTClabels:#   General          -traefik.enable=true#   Router > http          -traefik.http.routers.keeweb-http.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)          -traefik.http.routers.keeweb-http.service=keeweb          -traefik.http.routers.keeweb-http.entrypoints=http          -traefik.http.routers.keeweb-http.middlewares=https-redirect@file#   Router > https          -traefik.http.routers.keeweb-https.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)          -traefik.http.routers.keeweb-https.service=keeweb          -traefik.http.routers.keeweb-https.entrypoints=https          -traefik.http.routers.keeweb-https.tls=true          -traefik.http.routers.keeweb-https.tls.certresolver=cloudflare          -traefik.http.routers.keeweb-https.tls.domains[0].main=domain.lan          -traefik.http.routers.keeweb-https.tls.domains[0].sans=*.domain.lan#   Load Balancer          -traefik.http.services.keeweb.loadbalancer.server.port=443          -traefik.http.services.keeweb.loadbalancer.server.scheme=https

After you've added the labels above, skip thedynamic.yml section and go straight to thestatic.yml section.

Dynamic.yml

If you decide to not uselabels and want to use a dynamic file, you will first need to create your dynamic file. the Traefik dynamic file is usually nameddynamic.yml. We need to add a newmiddleware,router, andservice to our Traefik dynamic file so that it knows about our new Keeweb container and where it is.

http:middlewares:https-redirect:redirectScheme:scheme:"https"permanent:truerouters:keeweb-http:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints:                -httpmiddlewares:                -https-redirect@filekeeweb-https:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints:                -httpstls:certResolver:cloudflaredomains:                    -main:"domain.lan"sans:                          -"*.domain.lan"services:keeweb:loadBalancer:servers:                    -url:"https://keeweb:443"

Static.yml

These entries will go in your Traefikstatic.yml file. Any changes made to this file requires that you restart Traefik afterward.

Providers

Note

This step is only for users who opted to use thedynamic file method.

Users who opted to uselabels can skip to the sectioncertificatesResolvers

Ensure you add the following new section to yourstatic.yml:

providers:docker:endpoint:"unix:///var/run/docker.sock"exposedByDefault:falsenetwork:traefikwatch:truefile:filename:"/etc/traefik/dynamic.yml"watch:true

The code above is what enables the use of adynamic file instead of labels. Change/etc/traefik/dynamic.yml if you are placing your dynamic file in a different location. This path is relative to inside the container, not your host machine mounted volume path. Traefik keeps most files in the/etc/traefik/ folder.

After you add the above, open your Traefik'sdocker-compose.yml file and mount a new volume so that Traefik knows where your new dynamic file is:

traefik:container_name:traefikimage:traefik:latestrestart:unless-stoppedvolumes:            -/var/run/docker.sock:/var/run/docker.sock:ro            -/etc/localtime:/etc/localtime:ro            -./config/traefik.yml:/etc/traefik/traefik.yml:ro            -./config/dynamic.yml:/etc/traefik/dynamic.yml:ro

You must ensure you add a new volume like shown above:

/config/dynamic.yml:/etc/traefik/dynamic.yml:ro

On your host machine, make sure you place thedynamic.yml file in a sub-folder calledconfig, which should be inside the same folder where your Traefik'sdocker-compose.yml file is. If you want to change this location, ensure you change the mounted volume path above.

After you have completed this, proceed to the sectioncertificatesResolvers.

certificatesResolvers

Note

This step is required no matter which option you picked above, both fordynamic file setups, as well as people usinglabels.

Open your Traefikstatic.yml file. We need to define thecertResolver that we added above either in your dynamic file, or label. To define thecertResolver, we will be adding a new section labeledcertificatesResolvers. We are going to use Cloudflare in this example, you can use whatever from the list at:

https://doc.traefik.io/traefik/https/acme/#providers

certificatesResolvers:cloudflare:acme:email:youremail@address.comstorage:/cloudflare/acme.jsonkeyType:EC256preferredChain:'ISRG Root X1'dnsChallenge:provider:cloudflaredelayBeforeCheck:15resolvers:                    -"1.1.1.1:53"                    -"1.0.0.1:53"disablePropagationCheck:true

Once you pick the DNS / SSL provider you want to use from the code above, you need to see if that provider has any special environment variables that must be set. TheProviders Page lists all providers and also what env variables need set for each one.

In our example, since we are usingCloudflare fordnsChallenge ->provider, we must set the following environment variables:

CF_API_EMAIL
CF_API_KEY

Create a.env environment file in the same folder where your Traefikdocker-compose.yml file is located, and add the following:

CF_API_EMAIL=yourcloudflare@email.comCF_API_KEY=Your-Cloudflare-API-Key

Save the.env file and exit. For these environment variables to be detected by Traefik, you must give your Traefik container a restart. Until you restart Traefik, it will not be able to generate your new SSL certificates.

You can wait and restart in a moment after you finish editing thestatic.yml file, as there are more items to add below.

entryPoints (Normal)

Finally, inside the Traefikstatic.yml, we need to make sure we have ourentryPoints configured. Add the following to the Traefikstatic.yml file only if youDON'T have entry points set yet:

entryPoints:http:address::80http:redirections:entryPoint:to:httpsscheme:httpshttps:address::443http3:{}http:tls:options:defaultcertResolver:cloudflaredomains:                    -main:domain.lansans:                          -'*.domain.lan'

entryPoints (Cloudflare)

If your website is behind Cloudflare's proxy service, you need to modify yourentryPoints above so that you can automatically allow Cloudflare's IP addresses through. This means your entry points will look a bit different.

In the example below, we will addforwardedHeaders ->trustedIPs and add all of Cloudflare's IPs to the list which are available here:

https://cloudflare.com/ips/

http:address::80forwardedHeaders:trustedIPs:&trustedIps                -103.21.244.0/22                -103.22.200.0/22                -103.31.4.0/22                -104.16.0.0/13                -104.24.0.0/14                -108.162.192.0/18                -131.0.72.0/22                -141.101.64.0/18                -162.158.0.0/15                -172.64.0.0/13                -173.245.48.0/20                -188.114.96.0/20                -190.93.240.0/20                -197.234.240.0/22                -198.41.128.0/17                -2400:cb00::/32                -2606:4700::/32                -2803:f800::/32                -2405:b500::/32                -2405:8100::/32                -2a06:98c0::/29                -2c0f:f248::/32http:redirections:entryPoint:to:httpsscheme:httpshttps:address::443http3:{}forwardedHeaders:trustedIPs:*trustedIpshttp:tls:options:defaultcertResolver:cloudflaredomains:                    -main:domain.lansans:                          -'*.domain.lan'

Save the files and then give Traefik and your Keeweb containers a restart.

Authentik Integration

This section will not explain how to install and set upAuthentik. We are only going to cover adding Keeweb integration to Authentik.

Sign into the Authentik admin panel, go to the left-side navigation, selectApplications ->Providers. Then at the top of the new page, clickCreate.

For theprovider, selectProxy Provider.

Add the following provider values:

Name:Keeweb ForwardAuth
Authentication Flow:default-source-authentication (Welcome to authentik!)
Authorization Flow:default-provider-authorization-implicit-consent (Authorize Application)

SelectForward Auth (single application):

External Host:https://keeweb.domain.lan

Once finished, clickCreate. Then on the left-side menu, selectApplications ->Applications. Then at the top of the new page, clickCreate.

Add the following parameters:

Name:Keeweb (Password Manager)
Slug:keeweb
Group:Security
Provider:Keeweb ForwardAuth
Backchannel Providers:None
Policy Engine Mode:any

Save, and then on the left-side menu, selectApplications ->Outposts:

Find yourOutpost and edit it.

MoveKeeweb (Password Manager) to the right sideSelected Applications box.

If you followed ourTraefik guide above, you were shown how to add your Keeweb container to Traefik using either thedynamic file orlabels. Depending on which option you picked, follow that section's guide below.

Forlabel users, go to the sectionLabels below.
Fordynamic file users, go to the sectionDynamic File below.

Labels

Open your Keeweb'sdocker-compose.yml and modify your labels to include Authentik as amiddleware by addingauthentik@file to the labeltraefik.http.routers.keeweb-https.middlewares. You should have something similar to the example below:

services:keeweb:container_name:keewebimage:ghcr.io/keeweb/keeweb:latest# Github image# image: keeweb/keeweb:latest               # Dockerhub imagerestart:unless-stoppedvolumes:            -./keeweb:/configenvironment:            -PUID=1000            -PGID=1000            -TZ=Etc/UTClabels:#   General          -traefik.enable=true#   Router > http          -traefik.http.routers.keeweb-http.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)          -traefik.http.routers.keeweb-http.service=keeweb          -traefik.http.routers.keeweb-http.entrypoints=http          -traefik.http.routers.keeweb-http.middlewares=https-redirect@file#   Router > https          -traefik.http.routers.keeweb-https.rule=Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)          -traefik.http.routers.keeweb-https.service=keeweb          -traefik.http.routers.keeweb-https.entrypoints=https          -traefik.http.routers.keeweb-https.middlewares=authentik@file          -traefik.http.routers.keeweb-https.tls=true          -traefik.http.routers.keeweb-https.tls.certresolver=cloudflare          -traefik.http.routers.keeweb-https.tls.domains[0].main=domain.lan          -traefik.http.routers.keeweb-https.tls.domains[0].sans=*.domain.lan#   Load Balancer          -traefik.http.services.keeweb.loadbalancer.server.port=443          -traefik.http.services.keeweb.loadbalancer.server.scheme=https

Dynamic.yml

If you opted to use thedynamic file, open your Traefik'sdynamic.yml file and apply theauthentik@file middleware to look something like the following:

keeweb-https:service:keewebrule:Host(`keeweb.localhost`) || Host(`keeweb.domain.lan`)entryPoints:                -httpsmiddlewares:                -authentik@filetls:certResolver:cloudflaredomains:                    -main:"domain.lan"sans:                          -"*.domain.lan"

After you've done everything above, give yourTraefik andAuthentik containers a restart. Once they come back up; you should be able to accesskeeweb.domain.lan and be prompted now to authenticate with Authentik. Once you authenticate, you should be re-directed to your Keeweb home screen which asks you to load a vault file.

Env & Volumes

This section outlines that environment variables can be specified, and which volumes you can mount when the container is started.

Env Variables

The following env variables can be modified before spinning up this container:

Env Var	Default	Description
`PUID`	1000	_{User ID running the container}
`PGID`	1000	_{Group ID running the container}
`TZ`	Etc/UTC	_Timezone
`PORT_HTTP`	80	_{Defines the HTTP port to run on}
`PORT_HTTPS`	443	_{Defines the HTTPS port to run on}

Volumes

The following volumes can be mounted with this container:

Volume	Description
`./keeweb:/config`	_{Path which stores Keeweb, nginx configs, and optional SSL certificate/keys}

By mounting the volume above, you should now have access to the following folders:

Folder	Description
`📁 keys`	_{Responsible for storing your ssl certificatecert.crt + keycert.key}
`📁 log`	_{All nginx / container logs}
`📁 nginx`	_{Containsnginx.conf,resolver.conf,ssl.conf,site-confs}
`📁 www`	_{Folder which stores the Keeweb files, images, and plugins}

Dropbox Support

To configure Dropbox support on your self-hosted setupview our Wiki page.

Build From Source

Note

Keeweb v1.19.0+ requires a minimum of Node v20.9.0 LTS in order to build.If you require multiple versions of node, you can installnvm

# install nvmwget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh| bash# install node 20nvm install 20# switch to node 20nvm use 20

The easiest way to clone all KeeWeb repos is:

curl https://raw.githubusercontent.com/keeweb/keeweb/develop/dev-env.sh| bash -

KeeWeb can be built utilizing thegrunt commandline. Each platform has multiple commands you can use; pick one:

Platform: Windows

You may build KeeWeb forWindows by executing ONE of the following two commands provided:

Using Grunt

grunt dev-desktop-win32 --skip-sign

Using NPM

npm run dev-desktop-windows

Platform: Linux

You may build KeeWeb forLinux by executing ONE of the following two commands provided:

Using Grunt

grunt dev-desktop-linux --skip-sign

Using NPM

npm run dev-desktop-linux

Platform: MacOS

You may build KeeWeb forMacOS by executing ONE of the following two commands provided:

Using Grunt

grunt dev-desktop-darwin --skip-sign

Using NPM

npm run dev-desktop-macos

Once the build is complete, all (html files will be indist/ folder. To build KeeWeb, utilize the following commands below.

To run the desktop (electron) app without building an installer, build the app withgrunt and then launch KeeWeb with one of the following commands:

npm run devnpm run electron

To debug your build:

runnpm run dev
openhttp://localhost:8085

Once built, the output files will be generated intmp:

Donations

KeeWeb is not free to develop. It takes time, requires paid code signing certificates and domains.
You can help the project or say "thank you" with this button:

You can also sponsor the developer directlyon GitHub.

Please note: donation does not imply any type of service contract.

Contributors ✨

We are always looking for contributors. If you feel that you can provide something useful to Keeweb or our other projects, then we'd love to review your suggestion. Before submitting your contribution, please review the following resources:

Want to help but can't write code?