KeePassRPC connection overview

In order to transfer passwords to and from KeePass, Kee needs you to install and configure a KeePass plugin called KeePassRPC. This plugin can communicate with other applications (not just Kee) provided that you allow it. This document is an overview of the behaviour of the KeePassRPC plugin. If you want the technical detail, see KeePassRPC technical detail instead.

When first installing KeePassRPC you will find two corresponding dialogs on your system asking for a one-time password to secure the new connection, one from your web browser and one from KeePass. Put the password from the KeePass dialog into the web browser dialog, click OK and wait a few seconds while the password is verified.

By default you will have to enter a new password once per year to protect against certain types of attack but this setting is configurable in KeePassRPC options. The password authorisation dialog is there to protect you so do read the information displayed carefully, especially if the dialog appears unexpectedly.

Screenshot of Connection security KeePassRPC options dialog

Protocol overview

When a KeePassRPC client (such as Kee) tries to connect to the KeePassRPC server it sends a variety of messages backwards and forwards between the client and server. These messages allow both the client and server to be certain that they are communicating with each other (rather than a malicious attacker) and a shared encryption key is created which the client and server can use to encrypt the contents of the messages being passed between them.

If it is the first time that the client and server have connected to each other, the user is asked to enter a server-generated password into the client.

The shared encryption key is normally stored for a reasonable length of time but when its expiry date is reached, a further password will be required.

Once the encryption key has been created, KeePassRPC uses it to protect the contents of messages that are sent using a format called JSON-RPC.

If anything goes wrong with the connection, you might find yourself being asked to enter a new password very frequently. This keeps your passwords secure but will no-doubt get annoying so please review the troubleshooting guide if this affects you.