Phil G

if pagefile.sys is deleted at each pc shutdown and hibernate funcion is not used risk is convered. The pagefile won't be deleted if the power is disconnected, but you can and probably should enable pagefile encryption if this is a concern. This covers many other potential data leaks, known and unknown. Hibernation would still need to be disabled.

The benefits of hardware tokens have to be taken in the round. The main advantage, not specific to KeePass is that the secret material: OTP keys, Challenge Response keys, PGP secret keys etc. etc. cannot be exfiltrated/copied to be used again in the future or re-used on different connections or database files, should you have the misfortune to use it on a compromised system, possibly without ever knowing a compromise has happened. Sure any specific systems you access or files you open will be vulnerable...

+1 for password confirming this activity. I've always used a portable version in a [veracrypt] encrypted file mounted only when I'm logged in, to protect against the possibility of the main executable being tampered with when others are using the PC. But for other people I've simply recommended KeePass to, I hadn't appreciated this relatively trivial way to exfiltrate information.