Does Keepass synchronize across devices?
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
I use Keepassdroid on my phone for password storage. Now, I'm looking for a manager that can be used on multiple devices, synchronizing between them, and by multiple users. Ideally, it would automatically populate logon/password information fields for sites it recognizes. I'm not tech-savvy enough to discern from the technical information about Keepass whether it has these capabilities. I would be grateful for insights.
John
There are multiple ways and methods but here is mine:
I use a Windows10 machine and have multiple Android devices running Keepass2Android. The database file is on a OneDrive folder that OneDrive automatically keeps local and in the cloud. On the mobile devices, I use "Autosync for OneDrive - OneSync" and chose the option for a daily one-way sync of the database file from OneDrive to the device. I don't need live updates so daily was fine for me and chose one-way so easily made errors on the mobile device won't spread. If you make an error, the database will get refreshed on the daily sync.
I've had this automatic setup for years and I've never had an issue and never have to think about it.
Last edit: Glenn 2018-12-30
Glenn:
Thank you very much for your informative response. (I expected, wrongly, that I would receive email messages alerting me to responses, so it's taken a while to discover that I needed to go back to SourceForge on my own.)
I would be grateful for clarifications: (1) Can your system work with two Windows devices and two Android devices? (2) Is there an option in Keepass to specify the OneDrive folder where the information is to be stored? (3) Is Keepass2Android the same thing as KeePassDroid (I'm running version 2.3.4)? (4) Is there a way to download from Keepass2Android to the OneDrive folder so that I don't have to rekey all the information from my Windows machine.
Again, thank you!
John
KeePass itself will sync changes between database copies.
https://keepass.info/help/v2/sync.html
Currently, only KeePass2Android has the same sync feature so it may be easiest to assume your non-KeePass (non-Windows) devices are read only and you should not make changes on them.
KeePass is not a multi user system but multiple users can use the same database, with all users having full access.
KeePass does not automatically fill in login details unless you use a plug-in, like Kee. I use Global Auto-Type to fill in credentials, which gives me control over what forms are filled in.
cheers, Paul
Thank you, Paul. (Hopefully you can see my reply to Glenn, wherein I explain my delay in responding.)
I would appreciate clarification on the following points: (1) Could you explain what you mean by "only KeePass2Android has the same sync feature"? Does this mean that Keepass2 for Windows does not have a sync feature? (2) Related to point (1), your suggestion that the non-Windows devices (I presume that includes Android) should be read only implies that changes should be made on the Windows machine, so they must have a syncing capacity. Obviously, I'm confused.
Your thoughts on autofill are helpful. I've looked over the guidance and will keep that in mind.
Thanks again,
John
Keepass contains a feature called "sync"
which is a two way record level sync between two .kdbx files.
any insert/update/deletes in one file flows to the other and visa versa
at the end of the sync both files are identical.
a "typical" useage might be:
- device A uses local file "my_file".kdbx and does a keepass sync with file called "my_file_traveling.kdbx" on onedrive/dropbox
- device B uses local file "my_file".kdbx and does a keepass sync with file called "my_file_traveling.kdbx" on onedrive/dropbox
- device C uses local file "my_file".kdbx and does a keepass sync with file called "my_file_traveling.kdbx" on onedrive/dropbox
A/B/C can be any mix of windows-10 or android app keepass2android
(I can not speak to IOS ports of keepass).
Typically one cofigures the keepass sync to occur on an event (such as database open).
In the above example it is critcal to notice that onedrive/dropbox never overwrites the file called "my_file.kdbx"
but rather onedrive/dropbox will only replace the entire file "my_file_traveling.kdbx" with the next newest timestamp copy of itself.
The above means an insert/update/delete will always exist on the local file of the device that did the transaction.
with the due course of using keepass (opening/closing the .kdbx) a sync will occur to push that insert/update/delete into onedrive/dropbox "travleing" file.
Those services will then do their function and push the now newer "traveling "file to the other devices
where "eventually" those devices will do a 2way record level sync if that results in "traveling" having been changed then the proces repeates with
onedrive/dropbox pushing the now newer "traveling" file to other devices.
After several itterations 100% of all devices now have 100% of all insert/update/deletes.
If one did NOT utilize the keepass 2 way record level sync feature and instead
tried to go old school and operate directly against the onedrive/dropbox files
then it IS possible for lose insert/update/deletes.
For example, assume that A/B/C each has the onedrive/dropbox service/app
and that service as correctly put the same file onto A/B/C.
now let us assume internet goes down (router off or cell phone in dead zone)
with internet off you then created a "walmart" record on "A"
a "target" record on "B" and a "K-mart" record on "C".
the internet comes back up. onedrive/dropbox will correctly compare
the timestamp of the local file and the cloud copy and which ever is newer
that newer file is pushed to the other.
the cycle repeates till eventually every device has the newest file
that "newest" file might be "walmart"/"target"/"k-mart" but the will not contain all 3 records
the other two records are effectively "lost".
the above problem of lost data entry can never happen
if you do the setup as originally described with keepass syncs.
"walmart" will always exist on local file "A"
"target" will always exist on local file "B"
"kmart" will always exist on local file "C"
as each device does a keepass sync both files will aquire the recs it does not have
if the sync resulted in the traveling file having changed then the service will correctly push the now newer traveling file to all the other devices.
Eventually every device will have executed enough syncs
that every device is the same file as every other device
and every device now contains records for "walmart"/"target"/"kmart".
btw:
In the case of android one will discover that app "keepass2Android"
has the above local file/cloud sync kinda built into it.
you tell the app open up a onedrive/dropbox file
and it automatically makes a local copy of that file
and automatically on a go-forward basis it forever more will keepass sync with onedrive/dropbox.
in the case of keepass on windows you can get the above effect
either by configuring pluggin "Autosync for Onedrive"
or by filling out the panels for creating a "trigger" to do the sync on database open/unlock.
on a personal level I used to do the trigger method but have adopted the pluggin because it is very easy.
I guess the bottom line is utilizing a 2way record level sync takes
a few extra minutes of 1time seutp but the protection it provides is extrodinary.
you can skip a lot of that complexity and open up/utilize dropbox/onedrive files directly
and it may "seem" like everything is working great but in reality a risk exists to lose data entry.
so its your call what you prefer.
Last edit: develop1 2019-01-03
I can; I think I've tried all of them, and none of them does sync like KeePass.
KeePass has protection against loss by checking the source file time stamp and if it has changed since KeePass opened the database, KeePass says it has changed and offers to sync the changes.
(I assume KeePass2Android does the same as it uses KeePass code for the sync, but I've not checked.)
cheers, Paul
You are correct, the protection against loss by checking a timestamp/ CRC of the file on disk vs a copy of the file loaded into keepass memory is true if and only if keepass is actually running.
In this event keepass will detect and correctly reload and/or record level sync the a newer file laid down on disk with the memory copy.
I was trying to reference a fairly common condition wherein one or both of device "A" and device "B" are without internet and each makes a change to their respective dropbox .kdbx file.
Each device will create their respective unique record and each device will save their file to their local storage. we will assume user then closes/exits out of keepass. at that moment the dropbox file on each local device is newer than cloud dropbox. however because internet is down dropbox does not know it yet. Eventually (could be hours or days later) each device will get internet once again (this might occur at different times) and dropbox will correctly compare device file timestamp to cloud copy timesamp whichever file is newer that file will overwrite the other. dropbox will repeat this timestamp compare process with all dropbox devices until eventualy all devices and cloud all have the same newest file. In this situation that newest file will be the edits from "A" or the edits from "B" but it could never contain the edits of both as a drop box sync is at the file level and not the record level. So the risk of losing edits by operating directly on drobx files is real hence the "need" for record level sync vs direct edits on dropbox.
https://keepass.info/help/kb/trigger_examples.html#dbsync describes how to avoid that risk
I am mightily impressed by the deep understandings apparent in the preceding responses! My comprehension is far less advanced, but I am reassured that wise people view KeePass as top-flight secure data storage with great syncing architecture. It now lies in my court to try to install and configure it properly.
I would be grateful for your advice on a few procedural points: (1) Is KeePass2Android the same as KeePassDroid v. 2.3.4, which I currently have loaded on my phone? (2) If I load KeePass2 onto my two laptops, will it automatically recognize and sync with the data loaded on my phone? (3) Likewise, when I install KeePass2Android on a second phone, will it also be able to recognize and share the existing data? (4) In my existing KeePassDroid v. 2.3.4, the "Database settings" portion of the Settings menu is grayed out -- I can't access it. Seems like I would need to be able to do so to work on the syncing protocol. Is there some way for me to gain access to that portion of the settings menu?
Thank you.
John
KeePass2Android and KeePassDroid are different ports of keepass.
I can only speak to KeePass2Android as thats what I use and can not speak to KeePassDroid
I would assume KeePassDroid stores its .kdbx database file in "standard" keepass format
hence that file should be consumeable by keepass windows and KeePass2Android
given that your primary task is to get that kdbx file form keepassdroid and onto onedrive.
once there just start using keepass2android against that one drive file.
I so rarely do the 1 time setup of new machines that I am sure I can NOT give you
step by step instructions.
the following may not be the smartest, the best or even wise, but it is what I do.
so take that for what its worth.
the following is not exact instructions but it may get you to where you wanted to be...
a) the latest 2.x version of keepass: https://keepass.info/
b) pluggin KeePassOneDriveSync https://keepass.info/plugins.html#kpodsync
c) pluggin DataBaseBackup https://keepass.info/plugins.html#databasebackup
(I also install other pluggins as well but thats for purposes outside of this discussion)
Onto the one drive cloud service I created a Keepass folder and staged my kdbx file
with the filename containing the suffix string "_traveling".
example: fname_lname_traveling.kdbx
on each windows PC copy/download the "_traveling" file
and place this copy into a non onedrive folder I also rename the file so it no longer has the _traveling suffix.
my memory is a little hazy here but once teh "onedrive" pluggin is installed
I think you just launch keepass and do a ctrl-s (for save)
the pluggin kicks in and asks if you want to configure
that file for automatic sync to one drive.
I said yes and mapped my fname_lname.kdbx on local machine with the fname_lname_traveling.kdbx file on onedrive
am sure I selected "MicrosoftGraph" as the storage/access method.
once configured the onedrive pluggin will ensure that the local file and the traveling file
are made identical whenever the pluggin detects they are no longer identical.
I am sure a check is performed when your unlock/open your .kdbx
I am not sure if a periodic check also occurs as well.
I also go into keepass menu- tools/options/advanced and set the checkbox for
"automatically save after modifying and entry"
what the above should mean every time you insert/update/delete a record
when you "ok" out of the edit panel an automatic save will occur.
when the save occurs that should force the onedrive pluggin to wakeup
and perform a 2 way record level sync the "traveling" file on onedrive
I also configure keepass menu "tools" / "db backup plugin" / "configure"
I then set dateformat as yyyy_MM_dd_hh_mm_ss and number of copies to keep to a higher number such as 20
within this panel I tend to define at least 3 different destinations:
a) local folder on my local machine
b) a network folder which my PC can routinely reach
c) a subfolder of onedrive "keepass" which is named unique to the PC I am configuring
what the above pluggin will do is every time a "save" occurs this pluggin will multiplex the writing of that file
to every location you define
further more the pluggin will ensure that each location will have its own collection of up to 20 timestamped files
(typical filename of these backups are:
fname_lname_2019_01_04_12_17_06.kdbx
the advantage of this plugggin is should you go on a liquor inspired data entry bender
you will have 20 historical copies of your .kdbx which with to recover from your brain fart data entry.
Because you multiplexed to so many different locations you are protected from network being down, internet being down or even your entire house burning down.
on your android phone you install the keepass2android app and tell it to open the traveling file on onedrive.
(thats about it for your phone as The app pretty much handles things correctly from this point onward)
it copies that traveling file from onedrive and onto your local phone.
this local file means you can use your keepass on phone
even if you are in a "dead zone" without internet.
with this app, every time you open your kdbx on phone
the app will do a 2 way record level sync with the onedrive traveling file.
lets say you have 2 laptops ( a persona laptop and a work laptop)
and you have 2 phones (yours and your spouses).
and you have configured all four devices as described above.
lets assume internet is up and Spouse on her phone creates a new record.
her keepass2android will automatically save that record to local storage on her phone
the app will automatically do a 2 way record level sync with traveling file on one drive.
the above sync will result in an automtaic save of your data occuring.
and thanks to he backup pluggin that same save will multi-plex a copy of this new file
elsewhere on your local pc, and onto a network folder and onto a onedrive folder unique to this pc
each of these multiplexed locations will each have upto 20 automatically maintained historical copies of your file
with the above in place regardless of what crashes, burns down or goes down
it should be "impossible" to lose data entry and "impossible" to not have a valid backup of your kdbx with which to recover
BTW:
for Diaster Recovery purposes you should have written down somewhere outside your house your onedrive password
this is so if one day your house burns down with both cell phones and both laptops within the house you can still get into onedrive and obtain your .kdbx
hope this helps.
Thank you very, very much for your detailed guidance! One more hurdle and one concern before I get started:
1) How shall I migrate the .kdbx created by my KeePassDroid 2.3.4 to KeePass2? I don't see anything in settings that indicates the ability to download the file, and I also don't want the file to become insecure.
2) Should I be concerned about the security of the "_traveling" file copies stored outside of OneDrive (I presume that means on my local harddrive) on the Windows devices? Can/should they be deleted at some point without traces left behind?
Thanks again.
John
four things:
1)
My best guess is your existing .kdbx can be in just one of two places.
Either it is already on a cloud storage of yours and KeePassDroid is simply using it
[ in which case log your account(s) and go find file].
or (more likely)
your .kdbx is simply a file within local storage of your phone.
I would be inclined cable your phone to your windows-10 pc/laptop [usb].
and utilize windows file explorer to search the phone for your *.kdbx
when you find the file simply copy/paste the file from phone onto your PC.
there may be other ways but thats the first idea that comes to mind.
2) with regard your concerns of the _traveling file existing outside of onedrive.
the point and premise of keepass is that your .kdbx has military grade encryption
this encryption should mean you do not need to be concerned about "_traveling"
copies of your .kdbx existing outside of onedrive.
3)
despite the assertion of item 2 you can (and should) take steps to maximize your security.
this begins by making it extremely expensive for evll to brute force guess your master password.
your easiest tool is to make your master password string whcih is
"long", "Complex", and both easy for you to remember but hard to guess
that generally means you must maximize the universe of permutations that evil must try
before they succeed finding the right string to decrypt your file.
There are many techiques to choosing a master key I tend to be a fan of inventing a sentence
which is always true throughout the passage of time no matter who lives/dies or what changes
and using that sentence to form your master password.
An example of such a sentence is...
"in 1962 my dad (Jim Smith) was drafted into the Army and served 4 years"
taking first character of every word, retaining punctuion, capitializing propernames
that sentence would become:
i1962md(JS)wditAas4y
the above is string is 20 chars long, contains upper/lower&symbols it would be extremely hard to guess but very easy to remember.
some people put a "hint" into the kdbx filename such as the word "dad" to give themselves reminder of what the sentence might be.
4)
related to the above is setting a high number of encryption rounds to open your .kdbx
what this means is your master password must be mashed thru N rounds of encryption before that resultant string is used to encrypt/decrypt your file
There is no short cutting that system if .kdbx was encrypted with 6000 rounds of encryption
than it will take 6000 rounds of decryption to open it.
each round of encryption requires cpu to perform
your goal is to have enough rounds that the cpu burn (and resultant wall clock delay)
is not impacting your enjoyment of using keepass but by the same token that delay
makes a brute force attack hellishly expensive and slow to evil.
I find that most .kdbx files are created with as few as 6000 rounds of encryption
but consumer grade hadware can do about 20 million rounds in 1 second.
As a human trying to open (decrypt) your .kdbx
a one second cpu burn is totally acceptable to your enjoyment of using keepass
but a one second delay makes brute force guessing your password hellishly expensive and way to slow for evil to try as they want to do miillions of guesses per second not just a few.
the utility to determing an apprpriate number for encryption rounds for your hardware
is found in windows keepass try "file/database/security" use the button which calculates how many rounds your hardware can perform one second.
Whatever that number is, use it as number of rounds to encrypt your .kdbx
Once done, a go forward basis, that 1 second cpu burn delay will be required to open your .kdbx
your phone might take a half second longer but that is still "ok" to your use of keepass.
once you have done #3 and #4 you can "safely" leave a copy of your .kdbx out on the sidewalk and be ok with that exposure..
Obviously your are not going to do that but if somehow that is what effectively ends up happening
then it will be "ok" evil will not win, sleep well.
hope this helps.
good luck.
1) You can email the local database to your PC.
cheers, Paul
The good news is that I found and copied the .kdbx file from my phone to OneDrive on the first Windows machine, where I also successfully downloaded KeePass2 to the Program Files(x86) folder. (I have no idea what "x86" contributes, nor whether that is the correct Program folder.) Thanks to those of you who provided guidance.
The not-so-good news is that I can't seem to download the pluggins. Using the links provided by develop1, the Sync pluggin link takes me to Koen Zomers website. There, I am accosted with invitations to sign up for GitHub, which I have done, but neither the Zomers website nor GitHub provide transparent procedures for downloading the pluggins. I've tried clicking on lots of hotlinks to no avail. The Backup plugging link takes me to the following:
**Plugin Author: Francis Noël, Plugin Language:
**Creates backups of modified databases.
**Note: DataBaseBackup does not use KeePass' I/O infrastructure, therefore the plugin is incompatible with most other plugins that are providing support for more protocols (like IOProtocolExt).
Download plugin: [v2.0.8.6 for KeePass 2.27 and higher]
Clicking on the download link produces a compressed file that I am unable to open.
So, with gratitude for the patience and generosity you have already exhibited, I request further assistance on the downloading of pluggins.
There is no need to register at github to download the Simple Database Backup plug-in. Click on the link under "Download" half way down the page and you will get a PLGX file. Copy that file to the
Pluginsfolder under KeePass.exe and re-start KeePass.https://github.com/jnko/SimpleDatabaseBackup
For more on backing up your database see the backup wiki.
https://sourceforge.net/p/keepass/wiki/Backup/
cheers, Paul
Last edit: Paul 2019-01-06
Hi, sorry instructions to obtain pluggin(s) was lacking.
here are two things to help clarify:
1)
yes the backup pluggin I use is the one that had the scary note
"Note: DataBaseBackup does not use KeePass' I/O...."
I use the above pluggin because it is the one that that creates timestamp copies
of each file backed up as well as containing a "purge" function to cap the number
of historical copies dont storage consumed does not get out of control.
Here is the URL to download it.
https://keepass.info/plugins.html#databasebackup
The above URL is a plugin listing page wherein each
listing gets about 5 lines of description.
for this listing there is a "download"link just click it and download should begin.
typically a pluggin install is nothing more than placing the ".pglx" file
into the same folder as wherever your "keepass.exe" file resides/was installed.
exit and restart keepass, pluggin should install.
2)
as for "one drive sync" go here
https://keepass.info/plugins.html#kpodsync
the "listing" for contains a "website" url, follow it and it will take
you to main landing page called "KoenZomers/KeePassOneDriveSync"
within this main landing there paragraph page of file listings
About #8 in the list is the "plgx" file that you want - click to download.
the line item just above it are install instructions it would be wise to download/read that as well.
Hi John.
I just realized you said that you "successfully downloaded KeePass2 to the Program Files(x86)"
I think you may have taken a manual method and possibly installed the "portable" version of keepass
This is not a full install of keepass it is a version typically intended to exist on a USB memory stick thereby letting you have keepass with you at all times and run access it from any pc that lets you insert a usb stick.
I have used the portable form time to time, it is handy.
I think for your purposes you wanted the full install of keepass.
the download link is here:
https://keepass.info/download.html
the full version is the upper left quadarnt of menu choices.
that button that takes you to a page that automatically will start a download of:
KeePass-2.40-Setup.exe
let the download occur then run that program just downloded to install keepass on your windows machine.
Thanks very much, develop1, for your caution about the Windows (C:) > Program Files (x86) folder. I had a nagging sense that “x86” was not an auspicious omen. So, I shall start the process again and try to ensure that correct version of Keepass2 lands in the unsuffixed Program folder.
As I make this change, should I also delete the Windows (C:) > Program Files (x86) folder (or uninstall the individual programs as the case may be)? I notice that there are other differences between Windows (C:) > Program Files and Windows (C:) > Program Files (x86). I don't want to throw the baby out with the bathwater.
Am I correct in presuming that this has no effect on the Keepass2Android installed on my cell phone?
Odd that I found your cautionary message in email but not in the SourceForge discussion forum.
Thanks again,
John
More for coach develop1:
I downloaded the portable version of Keepass2 as you suggested, copied it from the downloads folder to Windows (C:) > Program Files, and clicked on the - Setup file for installation. The installer automatically selects Windows (C:) > Program Files (x86) as the location of the installed program. It gives me no choice in the matter. What shall I do?
Thanks,
John
... pardon me; I meant to say that I think I downloaded the "full install" version RATHER THAN the portable version.
a) it is completely normal for keepass to be in that x86 folder
in fact my install location is in that folder as well.
C:\Program Files (x86)\KeePass Password Safe 2\
all you needed to do was download the setup.exe file
leave it in the "download" folder and double-click/run it.
that launches the install and you can mouse click your way thru it
accepting the default answer to its prompts.
pretty sure the default install folder is what is mentioned above.
what I was questioning a few post ago was the method claimed to been used to get it there.
your verbiage made it seem as if you didn't run setup.exe to do the install
but rather manually craeted the folder as I thought you posted...
I " downloaded KeePass2 to the Program Files(x86)"
If you ran setup to get it there you are already ok.
but no harm to (re)run setup just to ensure things are installed "ok".
btw: your manually coping the setup.exe into the C:\program files\
is just pollution, you might want to delete that.
b) as for affecting your phone.
yes, 100% of everything you are doing on your PC has zero effect on your phone with its keepass2android install.
in fact that seperation is exactly what you are trying to acheive.
the intent was PC operates on a file outside of onedrive and that file does not have the "traveling" suffice
and pc simply does a sync with the "traveling" file on onedrive.
meanwhile phone operates on its copy of traveling file and it too will sync with traveling onedrive.
but the point is neither phone nor PC directly touching the file used the other the sync process
is your insulation/stepping stone to info between the PC and PHone.
I have no idea what the above post with its verbiage "Post awaiting moderation." got there.
I did not intentionally create it, if I knew how to delete it I woud.
Last edit: develop1 2019-01-07
BTW:
by now I think we have addressed most of what your inital post of this thread wanted to accomplish.
one thing not discussed is your sentence....
"automatically populate logon/password information fields for sites it recognizes"
Despite having used keepass for more years
I have virtually zero expereince and trust using the "global" autotype feature.
instead 100% of the time I rely on "autotype selected entry"
it is worth noting that the above feature is usually (never?) activated by default
instead the onus is on users to "know" they need to turn it on. (yuk)
fortuantly this is a simple 1-time setup action.
To check if activated ( or to activate it) go into tools / options /intergration
look at the box for "autotype selected entry"
if it is blank that that feature is currently off.
to turn this feature on click into the box and assign a key stroke to it.
For me I use my left hand and make the pinky/ringfinger/middlefinger
jester on keys:
"ctrl shift A"
the above is what I use but feel free to use whatever you want.
Others in the forum are experts in global autotype and can guide you better than I.
here is my take on things:
with global autotype the onus is on you to edit/modify/maintain
every keypass record to "understand"
what programs/panels/window-titles & websites
that a specific keypass record is supposed to be able to recognize.
What all this effort buys you is when you issue the global autotype keystroke
keepass will use the above knowledge and supply the correct username / password
for me the above is way to much effort and ongoing maintence
I also don't like the mindset wherein I am left to my own to be a good boy
and only land on honest websites and programs
as such when I ask for a global autotype to occur keepass
is allowed to then supply my username/password into it.
Basically with a global autotype mindset, keypass in the background
and supplies passwords when asked to do so.
the above mindset is completely opposite when using "autotype selected record"
with this feature the exact opposite work flow occurs.
you tend to always start in keepass,
when you want to launch a program or go to a website to go into keepass
find the "right" record and double click the url field to launch that program/website.
when that program/site wants login credentials
you know with 100% certainty the last keepass record you touched
is the correct record for this program/website
you know that because you got to this program/site
from that keepass record.
this is kinda a closed loop hence "autotype selected entry" can safely supply the
username password into a website/program you already trust.
With the above mindset you tend to never land on evil programs or evil websites
because you are not following some random link in an email from a nigerian prince
but rather you got to the program/site from a trusted keepass record you created.
I'm sure this forum can help you with global autotype but I would be of little use
because I rely on "autotype selected entry"
keepass2android may or may not have autotype features.
I have not investigated as when on phone and password needed
I have been "OK" just using clipboard copy/paste.