Kee should offer to only use some databases

Hi there
I love Kee(Fox), but I have an awful lot of Databases open, most of them are for company-wide infrastructure and quite often also match in Kee because they use the same domainname of course. However I’d only want to use two of those databases for Kee, the rest should be ignored. Since the other DBs are shared among multiple people, it’s not practical to mark each and every entry as ignored by Kee on an entry base, instead I’d love to see some configuration in Kee to whitelist the databases used inside Firefox.
What do you think?

1 Like

Yeah I can see how that would be useful in some situations. It’s probably a relatively unusual situation to be in though so I’d probably not prioritise work on this personally in the medium term.

If anyone else is interested, I’d suggest using the root Group UUID to identify the database in Kee and offering the option to work in “normal”, “white” or “black” list mode. If not in “normal” mode, display a transient notification popup the first few times a new database UUID is seen by Kee - clicking on it can then take the user to the relevant sections of the add-on options to allow configuring the behaviour.

Just in case you can safely disable Kee for all users of all personally unwanted databases, you could use a workaround now: Create a new top-level group called something like “this group disables Kee”, keep it empty and then set that as the Kee Home/start group.

1 Like

Thank you, I had the same problem with disabling unwanted databases, which is a huge inconvenience since we’re trying to put our db management on another level.

I set up Kee via KeePass -> KeePassRPC and stumbled upon a problem that if I use two or more KeePass databases and only want to give Kee access to one of them then I cannot find how to set those access rights.
What I tried with no success:

  • Set Kee advanced settings in browser “When opening or logging in to KeePass, use this database file”
  • KeePass -> KeePassRPC options - seems to be program specific and cannot speify database specific options.
  • KeePas File -> Database settings -> Kee - did not find anything relatable to give/deny db access.
  • KeePass Group -> Edit group -> Kee - did not find option to control access. Maybe the Location manager does smoething but i doubt it.

Other thing I noticed is that if KeePass is not in single instance mode (Options->Advanced->“Limit to single instance” is unchecked) then Kee sees only one instance, does not matter which windows is minimized or last active. That actually is kind of dirty fix for my problem but then have to remember to open KeePass databases in specific order to have the right one accessible in Kee and this is dangerously error prone.

Is there something I’m overlooking or is it currently not possible to set database level access rights?

In my case a good solution would be to have no rights to any database by default and have a setting to give each database an access right. Also using multiple instances to work but I think this might be tricky as then KeePassRPC should have different TCP listen ports and that already sounds messy.

Simpler almost as good solution would be a setting in browser Kee options like the “When opening or logging in to KeePass, use this database file” but with “Only” option. So when some other database is opened in KeePass then Kee is in OFF state and only goes ON when specific database file is open.

I could also use different KeePass installs where one has KeePassRPC plugin and other does not but that also is too error prone to accidentally open wrong database on wrong instance.

TLDR: Need to give Kee acces to only specific KeePass database but Kee has access to whatever database is currently open in KeePass, including ones that should not be opened or modified by plugins.

You’re correct that you can’t set per-database restrictions in this way. KeePassRPC has no way to differentiate between ones you want it to access and ones that you don’t.

Multiple KeePass instances is one possible approach but as you say, it can very quickly get so confusing that it causes more problems than it solves. Instead, I’d suggest just creating an empty group in the database you don’t want Kee to see; set that as the Kee Home group and you’ve essentially hidden all other contents within that database from Kee.

Thanks for input, additional group method is almost ok but this still puts uncomfortable liability to me not to generate temporary passwords or just by accident add something into wrong database and explain other people what weird new folder has appeared.
I have tried some workflows and for now the best method is with multiple instances - with two completely different KeePass installations (portable folders), where most settings and plugins are same except KeePassRPC plugin is only added for second one.
For the second install I also put different application icon so its foolproof to open correct KeePass that has browser integration. The original KeePass (without KeePassRPC plugin) woks parallel without problems so far, can open multiple databases or multiple instances with multiple databases like before.
File assoication also works correctly, opening only with non-RPC KeePass as expected. KeePass settings are ofcourse now separated to two but i’m not sure this is even a bad thing. All in all my original problems are solved and system works better than I first anticipated.

Due to security reasons, I would prefer KeePass/KeePassRPC to have a list of database names, which are available for search/modification, rather then having to enter a name in a relatively volatile browser addon.
Another possibility would be a keepass database property which enables or disables the specific database being searched or modified.
Would any of the above be possible?

There have been a few similar requests in the intervening years so here’s a quick update on the situation. Setting the “Kee home group” to an empty group is in most respects a reasonable workaround for the time being.

There’s no such thing as a unique ID for a database so any configuration on that basis could be manipulated or behave in unexpected ways (e.g. opening it from a subtly different file path).

A reliable approach would be to store some configuration inside the database that KeePassRPC looks for to determine whether to access the database (technically we would probably implement this as a setting on the group rather than the database). That would mean that one would be forced to disable/ignore the database at all times in all locations that Kee is used so it’s a rather blunt instrument but would serve some use cases. I’m not intending to implement such a feature myself when there is such a simple workaround but would accept a PR as long as the author will work with me to ensure the result is sufficiently compatible with older and newer versions of KeePassRPC, Kee and Kee Vault.

For situations where the desire is for a given database to be available to some instances of Kee but not others (e.g. a work profile vs home profile) see my earlier post in this topic.