I would like to use nextcloud for providing access to my KeePass database and I am looking for the best approach to the use case in term of security - the external keepass apps (Android, Windows, Linux desktopts) should “remember” the access credentials so that I do not have to type them again and again…
So far, the alternatives seem to be
- setup of “application password” within NC is certainly usefull, but yet, if the password is compromised, the attacker has access to my complete nextcloud until I revoke the pswd.
- create a new user only for “keepass” app and share the kdbx file from my personal NC to this user. This seems a bit clumsy, though, since the number of special purpose users would grow with each external app with limited access…
Is there any other way how to provide webdav access only to a particular file with read/write permission to external apps?
EDIT: ad point 2) this does not really work - at least Keepass (Windows) first saves keepass.dbkx.tmp, then removes the original keepass.dbkx and eventually renames keepass.dbkx.tmp to keepass.dbkx. The second step (deletion) effectively disables the sharing link from the original user. So, the only option would be to keep the keepass.dbkx completely separate in another user profile of NC.