Extracting google authenticator accounts for use with keepass TOTP-plugin

If you want to use an existing google authenticator account for use with keepass, the process to extract the base32 seed required by Keepass’ TOTP plugin can be quite involved.

So for posterity, I’ve documented the process here (I am using a company provided iphone and an Ubuntu Linux VM, but I think the process will be quite similar for android systems and other Linux distributions).

If you have any questions, feel free to leave a comment!

Open the google authenticator app on your phone

Select “export” from the hamburger menu

uncheck all accounts & re-check the one you want exported (make sure you don’t accidentally delete the original account on your phone :))

save the generated QR-code (jpg or png) to your photos or wherever & copy it to your Linux machine (I used telegram’s very handy “Saved Messages” feature for this)

install the “zbar-tools” package using apt or apt-get

o clone this git repository:

git clone https://github.com/scito/extract_otp_secret_keys

change to the newly created directory:

cd extract_otp_secret_keys

o extract information from the qr code image (using test.jpg as an example)

zbarimg test.jpg > test.txt

o edit test.txt, remove the leading “QR-Code:” string

o use pip to install the packages protobuf & qrcode:

pip install protobuf==3.20.1 qrcode # use this version as later versions won't work as of this writing

o extract the keys:

python3 extract_otp_secret_keys.py -p test.txt

Use the string labelled “Secret” as the “base32” TOTP-Secret in keepass2

That’s it! From now on, you should be able to generate TOTP tokens even if you just dropped your mobile into the toilet (it happens :))

Leave a Reply

Your email address will not be published. Required fields are marked *