P2P & CRDT

[alensiljak]

I know you guys are not great fans of network access in a password manager but perhaps that part could be resolved with a separate tool, for those who find it useful.
I've recently started using AnyType. The product is still defining itself, so to speak. It started as a Personal Knowledge Management tool (i.e. this used to simply be called Notes until then) but added p2p connectivity and also object-based synchronization using CRDTs. These all sound new and (perhaps) fancy but AnyType is the first (free) product where I see that this technology really works. And works well.
Having that experience of always-available, quick to synchronize with peers (other instances on other devices), and seamless merging of changes, I can't help to think how convenient it would be to have the same technology available for most of the important stuff - password managers, contacts, calendar, etc.
With p2p, only the signaling servers need to be available, if synchronizing via Internet. The traffic is encrypted and goes directly from one instance to another (with all the hops in between but assuming they only see the encrypted load). On a LAN, the synchronization is practically instantaneous. The subjective feeling is pretty amazing after years of cloud sync attempts or manual file copying.
With CRDTs, one gets object synchronization and practically no conflicts. KeePass already stores the entries in such a way that they are records and the whole history of changes is stored. No data is ever lost (although, with KeePass I manage to lose records every now and then, all due to synchronization, I guess).
I've been having lots of conflicts when synchronizing kbdx databases. I'm considering using a cloud-based solution but that has other issues - it is too dependent on the server, despite all the assurances of the opposite being the case.
Has anyone thought of a similar solution for synchronizing KeePass databases - using p2p between devices and perhaps CRDTs for conflict resolution, in addition?

[droidmonkey]

This would be impossible without a new standard apart from kdbx. The FIDO alliance is working the standard for sharing passkeys between devices. Having encryption in transit is not enough. You need to include authorization/access control on either end as well. KDBX does this by writing encrypted data to file directly.

[alensiljak]

Here I'm thinking mostly about synchronizing one's own database, hence no issues with authorization. Some synchronizer would establish a connection using a key, and would synchronize the contents of the kdbx database, as provided by KeePass. Library like Automerge would take care of the merging. KeePass database is easily exposed as JSON. Or something along those lines. The thing could evolve from there based on real-world experience.

Passkeys are, unfortunately, still used mainly for MFA, which I find a bit paradoxical. But better than nothing.

[droidmonkey]

synchronizing one's own database, hence no issues with authorization

Makes no difference. Think adversarial attack. Anyone or thing can be on the other side of that sync. Authorization (or in our case symmetric key decryption) is absolutely a concern.

[alensiljak]

Absolutely. But I would hope this has been resolved. Secure-channel key exchange, i.e. via a QR code, known-device list, etc.
Syncthing had a way of introducing and approving a new device. Bitwarden also has a device list, for approving login on a new device. This is not new.
Should be safer with self-hosted signaling server. But even without, the peers have public keys of known devices and are doing the authentication. I'm probably missing why that would be an issue. I mean, assuming we have accepted the public network sync in the first place.