Disable "Save As" and "Sync" in Keepass window
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
First of all, I know that if there is access to the file there are simple ways of moving it etc. But I'm experimenting with other various measures to stop explorer access to the file and stopping it being moved there it would still mean that someone with access to the database via Keepass has the ability to "Save As" or "Sync".
I know it's been bought up before, but with some other methods of being able to lock the file down, would it be considered to allow the disabling of these 2 options in the GUI of "Save As" and "Synchronize" either via a policy or via the GUI settings (https://keepass.info/help/v2_dev/customize.html) to disable them so the only option someone would have is to just save to the file that's already open?
I would find this really useful. I'm using Keepass v 2.
Locked and closed database files are already secure against malicous attacks if you use a strong and secured master key.
From a security perspective SaveAs and Syncing a database file aren't materially different than copying or moving it. However, if you want to block Saving, SaveAs or Syncing the database you can uncheck the Save Database policy. Enforce the policy and make sure KeePass is installed in a write protected folder. Beginning with KeePass 2.54 policy enforcement is mandatory.
That sound ominous. Will I have to learn about policy if nobody else is involved in my KeePass use?
You don't need to do anything, policies have been in KeePass since the first alpha release of KeePass 16 years ago. Policies are found in
Tools>Options>Policy(tab).The difference in KeePass 2.54, released 3 months ago, is that policies and other sensitive settings are now stored in the keepass.config.enforced.xml file located in the KeePass application directory. If you are using KeePass on your personal computer you probably won't notice much difference. If you use a copy of KeePass managed by a protective IT department, you will likely find that they won't let you muck around with the KeePass policies.
The "Save Database" policy needs to be enabled to allow saving to the current open database.
But, by having the ability to limit a user with an already open database being able to save to a new location, ie "Save As" or the options in Sync, along with other measures in place for ability to write to locations, would help.
Please explain how it helps, if you can also copy the file.
There maybe a way to limit access to the file path etc., but whilst the db is open in the GUI, the "Save As" will allow creating a new file somewhere. Whereas Save will just override the one already there.
I'm also thinking if the database is hosted on a web server, it also stops someone easily saving the file to another location if the "Save As" and "Sync" options are able to be disabled via a policy or GUI options.
You are wanting to add complexity without any justification. What you are suggesting appears to be pointless.
You KeePass database file is STRONGLY protected by encryption. It can only be opened using the password. It does not matter where the database file is stored or whether you can copy the file anywhere. Using File Save as just creates a copy somewhere else. You can just as easily copy the file using any other file utility if you have access to your computer. Placing the file on a web server just a it easier for an attacker to get the file. They still need the password to open it.
If several users use the one file they all know the password to open the file.
Due to this, if one of those users is then able to get the file, they can copy it where ever they wanted and have access.
If the file is on a file server where the user is unable to do any file operations other than save to the file (ie through the Keepass.exe) then the file can be controlled.
But, if this was in place, a user is still able to open the file via the Keepass.exe and use "Save As" to get around this.
If "Save As" etc were disabled in the app, the file could be controlled.
A user does not need to have KeePass open to copy the database file elsewhere. If the file permissions allow KeePass to open the file on the server they can also just copy it using any standard file tools and save it wherever they have permission to write to e.g. their own My documents folder. There is nothing KeePass can do to stop this.
I you are allowing several users to access the same file on a file server I hope that the file is read only or you have other measures to prevent the file being opened by two users who can separately make changes. If two users both open the file at the same time, both make changes to their copy to different records, and then separately save it there is a certainty that the earlier data saved will be overwritten. This is why we recommend a single master copy on a server and multiple users synchronise via triggers to this copy as this is the only way to ensure no data is lost.
The database is set to auto sync via locked down settings.
I don't think this is a fool proof system but having a user not being able to do save as and just save would be helpful.
If a user can open the file with KeePass how do you stop them opening it with any other program?
If they can do that they can save it anywhere they like.
A user can download another copy of KeePass and use it to open the copied database. or even the "controlled" database.
If the passwords in the database give remote access then you need an additional method to control that access, like IP blocks.
cheers, Paul