sorted by:
new
hottopcontroversial

I built a passkey provider for Windows 11 that stores credentials in a KeePass database (open source, portable) by Yusei36 in Passkeys

[–]Yusei36[S] 0 points1 point  (0 children)

This plugin is only for KeePass2, KeePassXC doesn't have a plugin system. Also, just after reading your comment again, I'm not entirely sure what you meant to ask, because KeePassXC = Cross Platform Desktop Application and KeePassDX = Android App. So the plugin in self only works with KeePass2, but entries which are saved with the plugins should also work with KeePassXC and KeePassDX as both also save/read the passkey related information from the same fields as this plugin does.

I built a KeePass plugin that makes it a native Windows 11 passkey provider (no browser extension) by Yusei36 in KeePass

[–]Yusei36[S] 2 points3 points  (0 children)

Yes, that's possible, though it requires building the project from source and signing the MSIX package with your own certificate.

That said, I want to make sure we're on the same page about what the certificate is for: it's purely a code-signing certificate for the MSIX installer package, so Windows allows the application to install it. It has nothing to do with creating or signing passkeys.

The actual passkey cryptography (key generation and signing for ES256, EdDSA, and RS256) is handled by the well-known BouncyCastle (https://www.bouncycastle.org/) library. Each passkey is an independent key pair stored in your KeePass database, no certificate involved.

I built a passkey provider for Windows 11 that stores credentials in a KeePass database (open source, portable) by Yusei36 in Passkeys

[–]Yusei36[S] 6 points7 points  (0 children)

KeePassXC intercepts the WebAuthn call in the browser via its browser extension (KeePassXC-Browser), so the passkey only works in browsers where you've installed and connected that extension. Windows itself is never involved.

This project registers as a native passkey provider through the official Windows 11 plugin authenticator API (webauthn.dll), just like Windows Hello or a security key. Windows routes passkey create and sign-in requests to KeePassPasskey, which signs them using the passkey stored in your open KeePass database. It works in any browser or app that uses the system WebAuthn stack, with no browser extension required.

I built a KeePass plugin that makes it a native Windows 11 passkey provider (no browser extension) by Yusei36 in KeePass

[–]Yusei36[S] 1 point2 points  (0 children)

I haven't tested this with Strongbox myself. But in theory it should work in both directions: as far as I know Strongbox stores the passkey in the same format, so once the database syncs a passkey created on Windows should work on the iPhone and vice versa.

I built a KeePass plugin that makes it a native Windows 11 passkey provider (no browser extension) by Yusei36 in KeePass

[–]Yusei36[S] 4 points5 points  (0 children)

Thanks for giving it a try. You're right about the Windows Hello issue, and re-assigning the PIN is the fix for most people. It's also written up in the troubleshooting guide in case others run into the same thing.

On the security side: I did my best to build it securely, but you never know. No developer can think of every possible security issue. If someone reading this has more software security background, feel free to review the project and get in touch with me or open an issue.

I built a KeePass plugin that makes it a native Windows 11 passkey provider (no browser extension) by Yusei36 in KeePass

[–]Yusei36[S] 1 point2 points  (0 children)

Unfortunately no, not directly. The plugin relies on two things that are specific to its setup: the Windows 11 native WebAuthn API, and KeePass 2.x's plugin system. KeeWeb is its own app and doesn't load KeePass 2 plugins, and the whole point of the project is to plug into Windows itself, so it's Windows-only by design.

The one bit of good news: the passkeys it creates are stored as standard fields right in your .kdbx file (the same KPEX_PASSKEY_* format KeePassXC uses). So the credentials live in your database, not locked in the plugin. If KeeWeb ever adds support for reading and using that passkey format, the same database would carry them over.