docs/set_up_admin_tails.rst reads
but there is no File menu in KeePassX 2.0.3 as installed in Tails 3.0 by default.




I could not find a way to do this. In fact, I'm concerned this capability may not exist in KeePassX 2. I found https://dev.keepassx.org/issues/57, suggesting they only implemented export to XML, which is consistent with the options presented in the GUI. I think what we might need to do is:
.kdbx databasae..kdbx and change then immediately change password.The one problem with this is that it means including a binary which must be imported and parsed by software including on the admin workstation. If this needs to be done this way, it's definitely a good case for commit signing.
Filed an issue in keepassx. Maybe we're missing something ... https://dev.keepassx.org/issues/617
After exploring some more it looks like KeePassX 2.0+ is not generally backward compatible with previous versions, except for importing existing binary databases. Although the code itself contains an XML reader/parser, there does not seem to be any way to use it, not even to export in XML. Browsing the logs and issue activity over the past years suggest this is not going to be implemented in the near future.
Short term what you suggest @fowlslegs seems to be the only sane option.
Going forward it looks like the sane move is to switch to an equivalent software that is actively maintained.
Suggested that Tails 3.0 keeps an old version of KeePassX for conversion purposes (not a blocker though): https://labs.riseup.net/code/issues/12802
It may be a good time to re-evaluate our use of KeePassX since it's looking increasingly like this will be a minor project any way we swing it. I have two proposals to that regard.
Some months ago, we had a meeting where we discussed the numerous credentials we force admins and journalists to memorize. The result of this meeting was, IIRC, a fairly unanimous team conclusion that we should eliminate the need to memorize all passwords except for Tails USB decryption.
The two main security ideas behind this conclusion are (i) that physical access should be beyond our threat model and (ii) that if malware can extract the KeePassX database and ATHS values, it can sniff keystrokes as well (see https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html). Our thinking was strongly motivated by a desire to improve user experience, to realistically threat model, and to avoid falling into the trap of security theater.
The first part of this is to address #1068, that our database template is in need of some renaming and reorganization. I think as part of this, it would be useful to create a separate template for journalists and admins. There are a few things I want to get done before EOD today, but I should be able to propose a couple template schemas tomorrow, and hopefully get some feedback.
My vote goes to ditching the password by recommending an empty string. Doing so would reduce the number of passwords Journalists are expected to memorize, and hopefully increase the utility of the password manager in general, which jives well with #1068.
Going to hold off on any work towards resolving this until we can agree on a solution as a team at the engineering meeting tomorrow.
Stated succinctly, the problem we're dealing with now is: "We don't have a plaintext format for keepass database that's compatible with Tails 3." Is there a CLI approach for converting the XML into a kdbx? If so, we can drop the associated logic into ./securedrop-admin tailsconfig and sidestep the frustrating clicky-clicky.
Is there a CLI approach for converting the XML into a kdbx?
Not that I'm aware of. It is my understanding that KeePassX is only usable via the GUI.
It's really unfortunate that KeePassX apparently does not support CSV or XML import (just did a bit of testing and it supports CSV export but you cannot then import the file 馃槥 ).
It looks like there are a couple of projects trying to create a command line interface for KeePassX, e.g. kpcli and python-keypass, but that means installing additional software.
Given that the template we are providing is currently an obsolete format for KeePassX, for 0.4 we should replace the XML format and ship a template in the current KeePassX database format (.kdbx). We should also add to the documentation the fields that are in the KeePassX database in case users prefer to manually create the database themselves.
It looks like there are a couple of projects trying to create a command line interface for KeePassX, e.g. kpcli and python-keypass, but that means installing additional software.
The software would not have to be installed persistently since this should only need to be done once. We could add another subcommand to securedrop-admin, populate-keepassx, that installs kpcli, which is available for install via the default Tails sources, and then sets up the database for the user.
I hear you, we _could_ do that, but I think a sufficient and simple solution here is to ship a template in the correct format for the software - I'll regenerate a template (and fix #1068 while I'm here) and add a screenshot in the docs in case someone does not want to use the template.
Handled in #1919, closing
Most helpful comment
My vote goes to ditching the password by recommending an empty string. Doing so would reduce the number of passwords Journalists are expected to memorize, and hopefully increase the utility of the password manager in general, which jives well with #1068.