is it possible to secure Keepass database with Master password and Key file together but open this database only with one of these options?
I would like use Keepass as company password manager but I need some type of backdoor if user forget their password. So I thought that I could save Key file to safety place and user use Master password only and if this user forget their password, I will can open databse with backup Key file.
Is it understandable?
A database can have only one Master Key. If the Master Key consists of a password and key file then both are required.
However, you can use the KeeAutoExec plugin to open the main database with a secondary database dedicated to storing the complete Master Key for the primary database. The secondary database could use a password only. In such a configuration the "Recovery Key" would be the Master Key for the primary database and users could use their own password. Also the secondary database can be safely linked to a user's Windows User Account because if the user's account is lost, the "Recovery Key" can still be used to open the primary database (provide it is not linked to the Windows user account). Note: A simple trigger to activate the secondary database when the primary database is locked is needed for seamless operation of this configuration.
Other plugins might provide additional suitable options.
wellread1 beat me to it since I already typed up a reply here it is:
the short answer is no.
things you can do to create an environment to get you closer:
install keepass with the dbbackup pluggin so each time a .kdbx is saved it is multiplexed into several different folders.
The dbbackup pluggin can maintain x number historical copies in each of the multiplexed locations.
If you have happen to always have the last 20 versions of history in a folder then should the user forgets their current password
at least you will have the last 20 versions of the file maybe the password you know might open one of these.
Have the user rely on the autoopen pluggin.
let the user have two kdbx files one with hellishly long complex master password that neither of you could possibly remember/type.
Both you and he would have this hellish password recorded somewhere (such as your personal .kdbx).
Meanwhile the user would have another kdbx with a master password that only they know (you would not).
This kdbx would contain an autoopen entry to open up the "real" .kdbx file.
The user would need to be told that 100% of their department data entry needs to go into this 2nd auto-opened .kdbx file.
The advantage of having them do this both of you can open that department file.
Meanwhile that same user is free to put whatever they darn well want in their own personal .kdbx file.
If they choose to put their personal bank login into this file, thats fine its their file
they can do whatever they want with it and the onus is on them to remember the password.
Should the user forget the password to open up thier personal .kdbx then the are out of luck.
However the department passwords remain accessible as you still can open up that file.
You would have no means whatsoever to get into their personal bank info or anything else in that user's personal .kdbx.
however both of you would be able to open up the department .kdbx courtesy of the autoopen trigger.
Should either of you accidently (or on purpose) change department .kdbx password
then the autoeopen trigger will fail and neither of you will be able to open the file.
Even this might be "ok" if you had the backup trigger mentioned above as both of you could
open one of the historical incarnations of the department .kdbx which existed prior to teh password change.
You could use one of the Key provider plug-ins, like CertKeyProvider.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.