KeePass supports multiple locations for storing configuration information: the global configuration file in the KeePass application directory, a local user-dependent one in the user's private configuration folder, and an enforced configuration file in the KeePass application directory. The first one is called global, because everyone using this KeePass installation will write to the same configuration file (and possibly overwriting settings of other users). The second one is called local, because changes made to this configuration file only affect the current user.
KeePass 1.x OnlyConfiguration files are stored in INI format.
KeePass 2.x OnlyConfiguration files are stored in XML format.
Installation by Administrator, Usage by User
If you use the KeePass installer and install the program with administrator rights, the program directory will be write-protected when working as a normal/limited user. KeePass will use local configuration files, i.e. save and load the configuration from a file in your user directory.
Multiple users can use the locally installed KeePass. Configuration settings will not be shared and can be configured individually by each user.
If you downloaded the portable version of KeePass (ZIP package), KeePass will try to store its configuration in the application directory. No configuration settings will be stored in the user directory (if the global configuration file is writable).
Create Portable Version of Installed KeePass
If you are currently using a locally installed version of KeePass (installed by the KeePass installer) and want to create a portable version of it, first copy all files of KeePass to the portable device. Then get the configuration file from your user directory (application data, see above) and copy it over the configuration file on the portable device.
For Network Administrators: Enforced Configuration
KeePass can be forced to load specific configuration settings. Enforced configuration
settings are loaded from
Configuration items that are not present in the enforced configuration file are loaded normally from global/local configuration files.
UI disabled. KeePass 2.x disables most user interface items that are enforced. This can be seen in the screenshot for the example above: the enforced settings are drawn using gray text and clicking on them has no effect.
Security. Users must not have write access to the enforced configuration file (otherwise they could modify it, e.g. using a text editor).
Furthermore, this method only is effective as long as your users run the KeePass installation on the network drive. If they copy KeePass to their hard drives and run it from there, the options you set are not enforced (the local KeePass installation doesn't know anything of the enforced configuration file on the network drive in this case).
KeePass 2.x OnlyAll data nodes (leaf nodes) are optional, however preceding non-leaf nodes with the same tag name in parent nodes of data leafs that you want to enforce are mandatory. For example, to enforce hiding user names and passwords using asterisks by default, the enforced configuration file would look like the following:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <MainWindow> <EntryListColumns> <Column /> <Column> <Name>UserName</Name> <HideWithAsterisks>true</HideWithAsterisks> </Column> <Column> <Name>Password</Name> <HideWithAsterisks>true</HideWithAsterisks> </Column> </EntryListColumns> </MainWindow> </Configuration>In this example, the empty
This section explains in detail how loading and saving the configuration works.
When KeePass starts up and finds both global and local configuration files, it must
decide the order in which KeePass tries to get the configuration items.
This is controlled by the
The flag is set to true in the global configuration file of the KeePass installer package. The portable ZIP package does not contain a configuration file, consequently the flag defaults to false.
KeePass 1.x OnlyLoading:
KeePass 2.x OnlyLoading: