Home Page
Posts > Installing KeePassXC & a Flatpak sandboxed browser
Search:

Since I have been moving my primary workstation to Linux, I have been in need of finding a new password manager after Roboform failed me. I decided to try out KeePassXC but was having trouble since my Ungoogled Chromium browser was sandboxed in Flatpak. The instructions for this on Unix Stack Exchange were no longer working so I had to dig into it myself.


The 2 primary problems were that:
1) The browsers’ sandboxes did not have the QT libs.
2) The interprocess communication pipe socket had been renamed from kpxc_server to org.keepassxc.KeePassXC.BrowserServer.


The following are the instructions to get KeePassXC running in Flatpak versions of both Chrome and Firefox. This was tested on Linux Mint 21.3 with both Ungoogled Chromium and Firefox. You will need to change the KP_FLATPAK_PACKAGE if you use other versions of Chrome.


  1. Run the relevant below environment variables in your command shell before running the commands in the following steps:
    #Shared environment variables:
    KP_CUSTOM=/home/$USER/keepass-browser
    KP_JSON_NAME=org.keepassxc.keepassxc_browser.json
    
    #Chrome environment variables:
    KP_FLATPAK_PACKAGE=io.github.ungoogled_software.ungoogled_chromium
    KP_JSON_START=~/.config/chromium/NativeMessagingHosts
    KP_JSON_END=~/.var/app/$KP_FLATPAK_PACKAGE/config/chromium/NativeMessagingHosts
    
    #Firefox environment variables:
    KP_FLATPAK_PACKAGE=org.mozilla.firefox
    KP_JSON_START=~/.mozilla/native-messaging-hosts
    KP_JSON_END=~/.var/app/$KP_FLATPAK_PACKAGE/.mozilla/native-messaging-hosts
    		
  2. Install and enable the browser extension:
    KeePassXD > Tools > Settings > Browser Integration:
    • Check “Enable Browser Integration”
    • Check “Chromium” and/or “Firefox”
    • Download the plugin listed on this screen in your browser
    • Click "OK"
    Note: This creates $KP_JSON_START/$KP_JSON_NAME

  3. Set up the needed files in the sandbox:
    #Put KeePass proxy and needed library files in user directory
    mkdir -p $KP_CUSTOM/lib
    mkdir -p $KP_JSON_END #Needed for firefox
    cp /usr/bin/keepassxc-proxy $KP_CUSTOM/
    rsync -a /usr/lib/x86_64-linux-gnu/libicudata* /usr/lib/x86_64-linux-gnu/libicuuc* /usr/lib/x86_64-linux-gnu/libicui* /usr/lib/x86_64-linux-gnu/libdouble* /usr/lib/x86_64-linux-gnu/libsodium* /usr/lib/x86_64-linux-gnu/libQt5* $KP_CUSTOM/lib
    
    #Copy the JSON file to the Flatpak app directory and change the executable path in the file
    cp $KP_JSON_START/$KP_JSON_NAME $KP_JSON_END/
    sed -i "s/\/usr\/bin\//"$(echo $KP_CUSTOM | sed 's_/_\\/_g')"\//" $KP_JSON_END/$KP_JSON_NAME
    		
  4. Add permissions to the Flatpak:
    flatpak override --user --filesystem=$KP_CUSTOM:ro $KP_FLATPAK_PACKAGE #Only required if home directory is not shared to the Flatpak
    flatpak override --user --filesystem=xdg-run/org.keepassxc.KeePassXC.BrowserServer:ro $KP_FLATPAK_PACKAGE
    flatpak override --user --env=LD_LIBRARY_PATH=$(flatpak info --show-permissions $KP_FLATPAK_PACKAGE | grep -oP '(?<=LD_LIBRARY_PATH=).*')";$KP_CUSTOM/lib" $KP_FLATPAK_PACKAGE
    		

Comments
To add comments, please go to the forum page for this post (guest comments are allowed for the Projects, Posts, and Updates Forums).
Comments are owned by the user who posted them. We accept no responsibility for the contents of these comments.

Re: Installing KeePassXC with a Flatpak sandboxed browser on 10/07/24 3:22am by Rauru
Hello Dakusan!
I have installed Firefox as a flatpak and KeepassXC as a regular .deb package. I followed your instructions to set it up but it looks like it's still not working.
Maybe I'm missing additional steps here? Could it be possible I need to change something on KeepassXC's side for the browser integration? Like a custom proxy location or custom browser config location?
Rauru
Re: Installing KeePassXC with a Flatpak sandboxed browser on 10/08/24 2:15am by Dakusan
It's impossible to say without going through a lot of complex debugging steps with you, unfortunately. It's a very complex process with little fiddly bits. If you can find any error messages it would help.