Make your keepass more secure using the not very-well known KeePass enforced configuration file.
KeePass is a great tool to store your passwords securely for personnal use.
On the other hand its popularity leads to a risk since there are many ways to attack Keepass. Furthermore the large number of features increases the potential attack surface.
So the goal is to limit some features you don't need and to activate all security mechanisms that are not activated by default.
To do this we will use the enforced configuration file, which is an official KeePass feature.
In order to further secure your installation, please remember to apply the following recommendations:
- Download KeePass from its official website only and check the integrity of the downloaded file.
- If you are using the portable version, secure your KeePass installation directory so that only your user account can write to it (to protect the integrity of your configuration file).
- Increase the number of iterations of the derivation key used to encrypt your database (default is 60000). You can use the "1 Second Delay" button to set a value automatically.
- Lock your database when not in use.
- Secure your database with a key file in addition to the master password. Note that the key file should not be stored in the same location as your database.
- Consider using version 1.x, which has fewer features but is also more secure by design. See edition comparison.
Check out KeePwn, a python tool to automate KeePass discovery and secret extraction : https://github.com/Orange-Cyberdefense/KeePwn.
You can just copy the KeePass.config.enforced.xml file to the root of the KeePass installation directory. Settings will be applied at the next Keepass launch.
You can use the KeePass_Secure_Auto_Install.ps1 file to fully install and configure KeePass automatically !
If you don't want to, just copy the KeePass.config.enforced.xml file to the root of the KeePass installation directory.
What the script does:
- Download the latest version of KeePass from its official website
- Checks the integrity of the file by comparing its hash
- Copy the enforced configuration file
- Alter permissions on the KeePass installation folder (remove all ACLs except the current user)
- ConfigFile : Optional - path to the KeePass.config.enforced.xml (Default : .\KeePass.config.enforced.xml)
- EnforceACL : Optional - secure KeePass installation directory using ACLs (Default : False)
Default : .\KeePass_Secure_Auto_Install.ps1
Custom : .\KeePass_Secure_Auto_Install.ps1 -ConfigFile "C:\path\to\file.xml" -EnforceACL $True
From official documentation :
The format of an enforced configuration file is basically the same as the format of a regular configuration file. An enforced configuration file must be stored in the KeePass application directory (which contains KeePass.exe). Its name depends on the KeePass edition:
- KeePass 1.x: KeePass.enforced.ini.
- KeePass 2.x: KeePass.config.enforced.xml.
Here is an example file, which embeds most of the important security mechanisms, and disables dangerous features :
<?xml version="1.0" encoding="utf-8"?>
<Configuration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Ref https://keepass.info/help/kb/config_enf.html -->
<Application>
<!-- Disable triggers -->
<TriggerSystem>
<Enabled>false</Enabled>
<Triggers MergeContentMode="Replace" />
</TriggerSystem>
<!-- Disable automatic update -->
<Start>
<CheckForUpdate>false</CheckForUpdate>
<CheckForUpdateConfigured>true</CheckForUpdateConfigured>
</Start>
</Application>
<!-- Specifying UI Element States : https://keepass.info/help/v2_dev/customize.html#uiflags -->
<UI>
<!-- Disable 'Help' → 'Check for Updates' menu item. -->
<UIFlags>32</UIFlags>
</UI>
<Security>
<!-- Edit Policy -->
<Policy>
<ChangeMasterKeyNoKey>false</ChangeMasterKeyNoKey>
<PrintNoKey>false</PrintNoKey>
<EditTriggers>false</EditTriggers>
<Plugins>false</Plugins>
<Export>false</Export>
<ExportNoKey>false</ExportNoKey>
<Import>false</Import>
<Print>false</Print>
<CopyWholeEntries>false</CopyWholeEntries>
<DragDrop>false</DragDrop>
<UnhidePasswords>false</UnhidePasswords>
</Policy>
<!-- Enforce automatic locking -->
<WorkspaceLocking>
<LockOnSessionSwitch>true</LockOnSessionSwitch>
<LockOnSuspend>true</LockOnSuspend>
<LockAfterTime>600</LockAfterTime>
<LockAfterGlobalTime>3600</LockAfterGlobalTime>
<LockOnRemoteControlChange>true</LockOnRemoteControlChange>
</WorkspaceLocking>
<!-- Master password requirements -->
<MasterPassword>
<MinimumLength>16</MinimumLength>
<MinimumQuality>80</MinimumQuality>
</MasterPassword>
<!-- Enable Secure Desktop (ref https://keepass.info/help/kb/sec_desk.html) -->
<MasterKeyOnSecureDesktop>true</MasterKeyOnSecureDesktop>
<!-- Clear clipboard after x sec -->
<ClipboardClearAfterSeconds>10</ClipboardClearAfterSeconds>
<!-- Protect Keepass process with DACL - Use with caution - -->
<ProtectProcessWithDacl>true</ProtectProcessWithDacl>
<!-- Prevent Screen Capture - Use with caution - -->
<PreventScreenCapture>true</PreventScreenCapture>
</Security>P
<!-- Replace default password generator -->
<PasswordGenerator>
<AutoGeneratedPasswordsProfile>
<GeneratorType>CharSet</GeneratorType>
<Length>12</Length>
<CharSetRanges>ULDS______</CharSetRanges>
<ExcludeLookAlike>true</ExcludeLookAlike>
<NoRepeatingCharacters>true</NoRepeatingCharacters>
</AutoGeneratedPasswordsProfile>
</PasswordGenerator>
<!-- Enforce Proxy configuration -->
<Integration>
<ProxyType>System</ProxyType>
<ProxyAuthType>Auto</ProxyAuthType>
</Integration>
</Configuration>- As you can see the settings are now enforced :
- KeePass process is now protected from dumping and alteration :
- Plugins and others specified settings are now disallowed :
The settings are poorly documented, but if you want to play around, there is a way :
In order to create an enforced configuration file, we recommend the following procedure:
- Download the portable ZIP package of KeePass and unpack it. Run KeePass, configure everything as you wish, and exit it.
- Rename the configuration file to the enforced configuration file name.
- Open the enforced configuration file with a text editor and delete all settings that you do not want to enforce.
Note that not all parameters are accessible from the UI
- Official KeePass Website : https://keepass.info
- Enforced configuration official documentation : https://keepass.info/help/kb/config_enf.html
- Customization official documentation : https://keepass.info/help/v2_dev/customize.html
- A case study in Attacking KeePass (@HarmJ0y) : https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
- Another case study in Attacking Keepass (@HarmJ0y) : https://www.slideshare.net/harmj0y/a-case-study-in-attacking-keepass
- KeePwn : https://github.com/Orange-Cyberdefense/KeePwn
- Webinar "Attaquer et durcir KeePass" (Hamza Kondah) : https://www.linkedin.com/events/7098643529362468864
Am I protected from keyloggers using this configuration ?
- Yes and no. Most currently available keyloggers work only on normal desktops; they do not capture keypresses on secure desktops. So, if you enable the MasterKeyOnSecureDesktop setting, the master key is protected against most keyloggers.
Is my keepass database protected from an attacker who has access to my machine?
- Definitely not. There are multiple ways to recover passwords in memory, or by abusing certain features. Note that if the attacker has write access to your configuration file, he can simply modify or delete it.
Is there a better password manager for personal use ?
- Everyone will have their own opinion on this. What I can say is that Keepass is a very good free and open source password manager. The product has been affected by very few CVEs over the past ten years. None of them were critical.
- Add a reference table of parameters with their role and recommended values.
- Add mapping between known attacks and associated mitigations.