We are wanting to remove the export capability from KeePass. The problem is that it exports in plaintext and we don't want users exporting and having these plaintext files saved on their desktops where other people can access the information. Any ideas or suggestions on ways to handle this aside from removing the functionality. Alternatively can somebody advise on how to remove the functionality.
Please see the option in 'Edit - Options - Security Tab - Disable unsafe (security-critical) operations like exports, etc.'.
When you disable this option, exports, printing and such things are disallowed.
To see how to enforce this option in your network, please read the FAQ about how KeePass saves and loads the settings:
I have seen those options. The problem is that each user has their own laptop, so people will be installing the app themselves as the administrator. Is there no way to modify the set up script so that it defaults to installing with the entry set as follows:
This way we could distribute the app as we would like it to run. However, since most of the users are technically competent, they could easily reset this. So ultimately it would be better if we could disable the functionality or at the very least force the exports to be encrypted.
As you have so many users, I suggest paying Dominik to re-compile it with that option permanently on - or do it yourself. It would still be cheap as chips.
Any ideas on how/where to turn the option permanently off? I am not really sure where to do this, but I would definitely like to attempt to make the change.
Hi, I found a solution for it: If you put the KeePass.ini file in read-only mode, The user can´t modify it. If the user uncheck the option of disabling unsafe actions, and the program ask for the user to restart it, the program reads the ini file, and because you had put it in read-only mode, the options changed by the user doesn´t have effect in the file.
I don't think that will work because each user is the administrator of their own laptop. So they can change the file permissions on KeyPass.ini. Aside from that, they would each install for themselves, so I would not have the opportunity to make the file read-only in the first place.
Yes, it´s true, but if you put in the "securiy" option, in the "advanced" button, you can deny explicity the write access to any user, Administrators included. Of course, if the user takes possesion of the file, he can do everything with it, but this is very complicated, don't you know?
Log in to post a comment.