First I want to say I'm sure I'm doing it wrong somehow and want some advice for what is best practice. No need to flame me, I'm already a flamer.
My IT team has adopted Keepass as an incremental improvement to keeping our secrets in a spreadsheet and various text files. But Keepass' out-of-the-box configuration is cumbersome. After some timeout we're prompted for a password whenever we go to Keepass for a password. If we turn off the locking mechanism Keepass becomes much easier, with what to us is an acceptable trade-off for security. As IT people we lock our workstations when we leave our desks so it makes sense for us to trust that our kdbx files are locked up with it. The security of the kdbx files is temporarily lower, and the tradeoff is that everyone wants to use Keepass.
Added to that, we encrypt three different password database files (one for personal, and two shared kdbx files for our two main roles on the team). Opening these two or three files with two factors each (key + password) is quite a process. For that problem someone discovered and shared around the trigger feature. It can automatically open any kdbx file you want just after your app starts, which you can rig to run just after you log in. Another big headache gone.
I suppose there are two problems that have emerged from this. One, there is no centralized control of the configuration of Keepass, meaning I can secure how I open and lock the shared .kdbx files on my system, but the next guy, who is using the same .kdbx file has automated everything and disabled all locks. The chain is only as strong as the weakest link. Second, we have discovered that the triggers store the passwords and key paths in the clear to an .xml document buried in your user profile. So now everything you need to open a .kdbx file is referenced in one well-known place.
Aside from fishing for alternatives to making Keepass easier to use while trying to retain some of the security you get with it, I just wonder if the real solution is to knuckle under and just lock your UI and re-type a password whenever you want…a password. If that's the case I'm worried that Keepass will fall into disuse in favor of spreadsheets and text files. Also is there some plugin or feature that can at least obfuscate that damn trigger xml file?
I suggest KeeAutoExec to open the other databases at start up. Then set your databases to lock when you want and only open your personal database to fire up the other 2.
You don't need to store passwords in triggers, use the trigger to obtain credentials form your database.
Thank you so much. I'll try one of those now!