Windows Home Server — Part 15: Replacing Paid Password Managers (1Password, Bitwarden Premium)

Commercial password managers like 1Password and Dashlane charge recurring subscription fees to store your credentials. Furthermore, storing your encrypted database on their cloud servers introduces security risks. If their databases are breached, your master key is the only barrier protecting your passwords.

We can build a zero-cost, highly secure password manager system using KeePassXC combined with our local OwnCloud (OCIS) WebDAV server. This setup encrypts your database using AES-256 or ChaCha20 locally on your devices before it is ever sent to the network.

---

1. How Local Encryption + WebDAV Sync Works

This setup splits storage from cryptography:

[KeePassXC Desktop]                 [Strongbox iOS / KeePass2Android]
         │                                         │
  (Local Decrypt)                           (Local Decrypt)
         │                                         │
         ▼                                         ▼
   [passwords.kdbx] ──(WebDAV Sync over HTTPS)──> [OCIS Server]

1. You create an encrypted database file (passwords.kdbx) using your master password.
2. The .kdbx file is synced over HTTPS to your home server's WebDAV endpoint.
3. Your mobile and desktop clients download the file and decrypt it locally. Your master password is never sent to the network.

---

2. Desktop Setup (KeePassXC)

KeePassXC is an open-source, lightweight cross-platform password manager.

Step 1: Install KeePassXC

Install it via winget:

winget install --id KeePassXC.KeePassXC -e --accept-source-agreements --accept-package-agreements

Step 2: Create a Database

1. Launch KeePassXC and click Create new database.
2. Set a database name and choose your encryption settings (AES-256 or ChaCha20 with Argon2d key derivation for maximum security).
3. Set a strong Master Password (at least 16 characters).
4. Save the .kdbx file inside your local ownCloud folder (e.g. C:\Users\Username\ownCloud\passwords.kdbx). It will sync automatically to the home server.

---

3. Mobile Configuration (iOS & Android)

To access and edit your passwords on the go, use mobile clients that sync over WebDAV.

3.1 On Android (KeePass2Android)

1. Install KeePass2Android from the Google Play Store.
2. Open the app and select Open File → HTTP (WebDAV).
3. Enter your WebDAV URL: https://cloud.yourdomain.com/remote.php/dav/files/YOUR_USERNAME/passwords.kdbx
4. Enter your ownCloud username and password.
5. Enter your database Master Password to open your vault.

3.2 On iOS (Strongbox or KeePassium)

1. Install Strongbox (or KeePassium) from the App Store.
2. Click Add Database → WebDAV.
3. Enter the WebDAV URL: https://cloud.yourdomain.com/remote.php/dav/files/YOUR_USERNAME/passwords.kdbx
4. Enter your credentials to sync and download the database, then unlock it with your master password.

---

4. Browser Integration (Auto-Fill)

1. Install the KeePassXC-Browser extension on Chrome, Firefox, or Brave.
2. Open the KeePassXC desktop application.
3. Go to Tools → Settings → Browser Integration → check Enable KeePassXC browser integration.
4. Open your browser, click the KeePassXC extension icon, and click Connect. It will sync with your local application, allowing you to auto-fill login forms securely.

5. Automated Backups

Because your .kdbx database resides inside your ownCloud folder on the home server, it is backed up daily by the database and file backup script we wrote in Part 10. The backup script copies the file to your offsite Cloudflare R2 storage, ensuring you can never lose access to your vault if your laptop drive fails.

---

In the next part, we will replace paid cron scheduling tools.

Proceed to Part 16: Replacing Paid Cron & Event Schedulers (Cronitor, AWS EventBridge) →