KeePass 1.24 and 2.20 Header Authentication
Problem and solutions when upgrading to KeePass 1.24 and 2.20.
KeePass 1.24 and 2.20 introduced authentication of header data
in KDB and KDBX database files. This is a security improvement for the
file formats to prevent silent data removal/corruption attacks.
The feature has been designed and implemented in a forward-compatible
way for both formats. KeePass 1.23 and 2.19 can still open KDB and KDBX
files created by KeePass 1.24 and 2.20.
Obviously, KeePass 1.23 and 2.19 do not know anything about the header
authentication yet and thus do not detect tampered headers; the
newer KeePass versions are required for this.
However, some KeePass ports (like KeePassBB2 2.0.1527) check compatibility incorrectly
or perform non-standard validations, resulting in the inability to open
KDB and KDBX files created by KeePass 1.24 and 2.20.
These ports must be updated in order to be able to open the newer
Until all KeePass ports have been updated, there are three solutions:
Continue using KeePass 1.23 and 2.19.
KeePass 1.23 and 2.19 are the last versions that do not save files in the
newer format yet.
If you already upgraded to KeePass ≥ 1.24 or ≥ 2.20 and want to
downgrade now, you can find the older KeePass builds in the
KeePass Downloads Archive.
After downgrading the application, open your KDB/KDBX file
(possible due to the forward compatibility mentioned above) and save it.
The saved file can then be opened using the port again.
KeeOldFormatExport plugin for KeePass ≥ 2.20.
The KeeOldFormatExport plugin
adds support for exporting to old KeePass file formats
(KDB 1.23 and KDBX 2.19).
The export process can be automated.
For details, please see the ReadMe file of the plugin.
KdbxDowngrade plugin for KeePass ≥ 2.20.
[KdbxDowngrade v1.1 for KeePass ≥ 2.20]
If the KeePass port only checks compatibility incorrectly, but does not
perform non-standard validations,
the following approach using a plugin can be used.
The KdbxDowngrade plugin can be downloaded here:
After unpacking the package and copying the plugin into the KeePass
application directory (where
KeePass.exe is), two files
are created each time you save a database:
<Name>.kdbx. This is the normal database file
saved by KeePass. It can be opened by KeePass ≥ 2.20, but not by the port.
<Name>_Downgraded.kdbx. This is a modified version
of the database file. The port can open this file.
However, it cannot be opened by KeePass ≥ 2.20, because it detects a
modification of the header and interprets it as corruption.
So, when using this approach, you work with the normal database file on the PC and
<Name>_Downgraded.kdbx file can be used by the port.
Changes to the database must be done using the PC application (changes made to
<Name>_Downgraded.kdbx are ignored and overwritten).
Again, we would like to emphasize that this plugin approach only works for some ports,
not for all (it does not work for ports performing non-standard validations).
It does work e.g. with KeePassBB2 2.0.1527.
Of course, as soon as an updated version of the port is available,
it is highly recommended to install the latest versions of both KeePass
and the port.
The source code of the KdbxDowngrade plugin can be downloaded here:
[KdbxDowngrade v1.1 for KeePass ≥ 2.20].