#1624 Encrypted key files


It would be good to provide the ability to encrypt the individual key files so that the database cannot be opened if someone gains a copy of a key file.

Therefore with a shared database, each user could have a separate copy of the key file encrypted with their own password.
This is standard practice with openssh and is done by using the ssh-keygen utility.

If the current key file format will not allow the option of encryption, perhaps a separate file extension could be proposed. e.g. eky for encrypted key


  • Paul

    Paul - 2012-06-22

    An encrypted key file is the same as key file and password. No need for anything extra.

    cheers, Paul

  • rgeorge7

    rgeorge7 - 2012-06-26

    Not quite the same because shared passwords are inherently insecure because you can't ever be sure who knows the password as they can be easily given out to others without your knowing.

    Anyway, I found a workaround to do this.

    Create a database with a long password.
    Each user starts keepass and opens their own local database encrypted with their own private password.
    They add an entry and put the password in the password field and set the URL to something like:

    cmd://"C:\User\KeePass\KeePass.exe" \\network_path\DMS.kdbx -pw-enc:{PASSWORD_ENC}

    This still is really a shared password, except that it is encrypted within a personal keepass file. A much better solution would be to encrypt the key files with a user's public key. This would then allow you to add or revoke a user's access by creating or deleting their encrypted key files which are created by signing them with the user's public key. Therefore when a user leaves the organisation, the database gets it's password changed and new encrypted key files get generated for all the users. Just a thought.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks