| Composite Master Key
This document details how KeePass locks its databases.
|
KeePass stores your passwords securely in an encrypted file (database).
This database is locked with a master password, a key file and/or the
current Windows account details. To open a database, all key sources
(password, key file, ...) are required. Together, these key sources form the
Composite Master Key.
KeePass does not support keys being used alternatively, i.e. it's not possible
that you can open your database using a password or a key file. Either use
a password, a key file, or both at once (both required), but not interchangeably.
Master
Passwords
If you use a master password, you only have to remember one password or
passphrase (which should be good!). KeePass has some basic protection
against brute-force and dictionary attacks, read the security information page
for more about this.
If you forget this master password,
all your other passwords in the database are lost, too.
There isn't any backdoor or a key which can open all databases. There
is no way of recovering your passwords.
Key
Files
You don't even have to remember a long,
complicated master passphrase. The database can alternatively be
locked using a key file.
If you lose the key file and have no
backup copy of it, your
passwords in the database are lost, too. It's just the same as forgetting
the master password. There is no backdoor.
KeePass 1.x Only
A 'key disk' is just a normal disk which holds a file (called 'pwsafe.key')
with password bytes (KeePass can generate
such disks for you). If you want, you can also select the key file (which
is stored on the key disk) manually, i.e. one disk can then store multiple
keys for multiple databases. In this case, you have to tell KeePass which file
it should use, you cannot simply select a drive any more (when you
just select a drive, KeePass assumes that it should load the 'pwsafe.key'
file in the root directory of the disk).
Windows
User Account
KeePass 1.x Only
KeePass 1.x does not support encrypting databases using Windows user account
credentials. Only 2.x and higher support this.
KeePass 2.x Only
KeePass can make the database dependent on the current Windows user
account. If you enable this option, you can only open the database when
you are logged in as the same Windows user when creating the database.
You can still change the password of the Windows user account freely.
This does not affect the KeePass database.
Be very careful with using this option. If your network breaks and all user
accounts are lost, you won't be able to open your KeePass database any more
either. Also, when using this option at home and your computer breaks, it is not
enough to just create a new Windows account on the new installation with the
same name and password;
you need to copy the complete account (i.e. SID, ...). This is not
a simple task, so if you don't know how to do this, it is highly recommended
that you don't enable this option.
If you decide to use this option, it is highly recommended not to rely
on it exclusively, but to additionally use one of the other two options (password
or key file).
Protection using user accounts is unsupported on Windows 98 / ME.
For
Administrators: Specifying Minimum Length/Quality of
Master Passwords
KeePass 1.x Only
Administrators might want to specify a minimum length
and/or the minimum estimated quality that master passwords must have. You
can tell KeePass ≥ 1.11 to check these two minimum requirements by adding
appropriate key/value pairs to the
INI configuration file.
The value of the KeeMasterPasswordMinLength key can contain
the minimum master password length in characters. For example, by specifying
KeeMasterPasswordMinLength=10, KeePass will only accept
master passwords that have at least 10 characters.
The value of the KeeMasterPasswordMinQuality key can contain
the minimum estimated quality that master passwords must have. For example,
by specifying KeeMasterPasswordMinQuality=64, only master passwords
with an estimated quality of at least 64 bits will be accepted.
KeePass 2.x Only
KeePass 2.x does not support specifying minimum master password requirements yet.
|