Composite Master Key - KeePass



Composite Master Key

This document details how KeePass locks its databases.

KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, ...) are required. Together, these key sources form the Composite Master Key.

KeePass does not support keys being used alternatively, i.e. it's not possible that you can open your database using a password or a key file. Either use a password, a key file, or both at once (both required), but not interchangeably.

Info  Master Passwords

If you use a master password, you only have to remember one password or passphrase (which should be good!) to open your database. KeePass features protection against brute-force and dictionary attacks on the master password, read the security information page for more about this.

If you forget this master password, all your other passwords in the database are lost, too. There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.

Info  Key Files

You don't even have to remember a long, complicated master passphrase. The database can also be locked using a key file. A key file is basically a master password in a file. Key files are typically stronger than master passwords, because the key can be a lot more complicated; however it's also harder to keep them secret.

  • A key file can be used instead of a password, or in addition to a password (and the Windows user account in KeePass 2.x).
  • A key file can be any file you choose; although you should choose one with lots of random data.
  • A key file must not be modified, this will stop you opening the database. If you want to use a different key file, you can change the master key and use a new/different key file.
  • Key files must be backed up or you won't be able to open the database after a hard disk crash/re-build. It's just the same as forgetting the master password. There is no backdoor.

    Do not backup the key file to the same location as the database, use a different directory or disk. Test opening your database on another machine to confirm your backup works. For a detailed discussion on the difference between backing up the key file and the database, see the ABP FAQ.

The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn't increase security at all (it's very easy for malware/attackers to find out the correct file, for example by observing the last access times of files). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.

A 'key disk' is just a normal disk which holds a file (called 'pwsafe.key') with key bytes (KeePass can generate such disks for you). If you want, you can also select the key file (which is stored on the key disk) manually, i.e. one disk can then store multiple keys for multiple databases. In this case, you have to tell KeePass which file it should use; you cannot simply select a drive anymore (when you just select a drive, KeePass assumes that it should load the 'pwsafe.key' file in the root directory of the disk).

KeePass can generate key files for you, however you can also use any other, already existing file (like JPG image, DOC document, etc.).

In order to use an existing file as key file, click the button with the 'Save' image in the master key creation dialog and select the existing file. After accepting the dialog, KeePass will ask you whether to overwrite or reuse the file (see screenshot).

Info  Windows User Account

KeePass 1.x does not support encrypting databases using Windows user account credentials. Only 2.x and higher support this.

Info  For Administrators: Specifying Minimum Properties of Master Keys

Administrators can specify a minimum length and/or the minimum estimated quality that master passwords must have in order to be accepted. You can tell KeePass to check these two minimum requirements by adding/editing appropriate definitions in the INI/XML configuration file.

The value of the KeeMasterPasswordMinLength key can contain the minimum master password length in characters. For example, by specifying KeeMasterPasswordMinLength=10, KeePass will only accept master passwords that have at least 10 characters.

The value of the KeeMasterPasswordMinQuality key can contain the minimum estimated quality in bits that master passwords must have. For example, by specifying KeeMasterPasswordMinQuality=64, only master passwords with an estimated quality of at least 64 bits will be accepted.