-
Notifications
You must be signed in to change notification settings - Fork 9
Home
This plugin is for KeePass password manager application, that adds new Key File type as additional security layer to your KeePass database. More basic details how to create new database KeePass First Steps Tutorial.
- download KeePass v2.x (where x is current version, for example v2.38) from download page. You have two options for download:
- Installer - it will download KeePass-2.x-Setup.exe that will be installed on your PC
- Portable - it will download KeePass-2.x.zip that can be extracted to any location, including USB flash drive
- Install or unzip KeePass
- After installation make sure that application is not running, if yes, close KeePass
- Go to Releases page to download latest plugin SmartCertificateKeyProviderPlugin.dll
- Copy downloaded plugin SmartCertificateKeyProviderPlugin.dll into KeePass Plugin folder (by default the KeePass Plugin folder can be found in C:\Program Files (x86)\KeePass Password Safe 2\Plugins folder after installation)
- Start KeePass application from Start Menu
Now the KeePass application & plugin are installed on you PC.
If you would like to start use the KeePass password manager to securely store any sensitive data (passwords, files etc...), you need to create new KeePass database (an encrypted file with sensitive data).
-
To create new database you can press Ctrl + N or go to File menu and click New
-
Now you should see Create New Password Database dialog, where you should specify file name and path where would be your new KeePass database file created
It is recommended to store database to some synchronized folder (like on DropBox, Google Drive, OneDrive etc ...) or any folder that you backup periodically. If you PC is stolen or has some hardware issue, you will prevent loose of your sensitive data stored in KeePass database
- After selecting file name and path you will see another dialog Create Composite Master Key, where you would see fields (more info on Composite Master Key page):
- Master password - enter a password that you will use to open KeePass database
- Repeat password - enter same password again for confirmation that you specified valid password (if Master & Repeat password do not match, the Repeat password field would have red background)
Now you can click on Ok button (don't do that now, this quote is for your information only) and you would go to Database settings dialog and if you click Ok button again, you would see new opened KeePass database. After saving database (press Ctrl + S or File / Save menu) it will create new KeePass database file on your hard drive that is encrypted by your Master password ONLY. To use this plugin and add more security to new KeePass database, please go to step 4 without clicking Ok button.
-
Click on Show expert options checkbox to expand advanced options of KeePass database
-
Check Key file / provider checkbox and this will enable the drop-down on right side, where you can now select Smart Certificate Provider plugin
Do NOT check Windows user account checkbox, because you would not be able to use database on another PC
-
Now you can click on Ok button to move to next dialog
-
It should display available certificates in your Windows including certificates stored on your Smart Card. Select a certificate that you would like to use for additional encryption of your KeePass database
If you don't see your certificate, please insert your Smart Card into PC or import it in Windows store and click Cancel button and repeat the step to reload the certificate list. More info how to import certificates on Smart Card or in your PC in section bellow!
-
If you are using Smart Card, you would be prompted to enter a PIN, to be able to use certificate for KeePass database encryption
-
Now you should see Database settings dialog where you can specify KeePass database settings. More info on Database settings page
-
Now you should see new opened KeePass database, and to create the database file press Ctrl + S or File / Save menu to save changes
-
The KeePass database is created and secured by your certificate
-
Open exiting KeePass database
-
Go to File / Change Master Key menu
-
that will open Create Composite Master Key dialog (more info on Composite Master Key page), where you should see fields:
- Master password - enter a password that you will use to open KeePass database
- Repeat password - enter same password again for confirmation that you specified valid password (if Master & Repeat password do not match, the Repeat password field would have red background)
-
Click on Show expert options checkbox to expand advanced options of KeePass database
-
Check Key file / provider checkbox and this will enable the drop-down on right side, where you can now select Smart Certificate Provider plugin
Do NOT check Windows user account checkbox, because you would not be able to use database on another PC
-
Now you can click on Ok button to move to next dialog
-
It should display available certificates in your Windows including certificates stored on your Smart Card. Select a certificate that you would like to use for additional encryption of your KeePass database
If you don't see your certificate, please insert your Smart Card into PC or import it in Windows store and click Cancel button and repeat the step to reload the certificate list. More info how to import certificates on Smart Card or in your PC in section bellow!
-
If you are using Smart Card, you would be prompted to enter a PIN, to be able to use certificate for KeePass database encryption
-
Now you need to save KeePass database to confirm changes
If you created or modified a KeePass database with Smart Certificate Provider and you would like to open the database, than on:
- Open Database dialog, you need to check Key File checkbox and select in drop-down on right side Smart Certificate Provider and enter Master password (if used) and click on Ok button
The next step would occur only if you didn't already open KeePass database earlier. The plugin securely caches used certificate in memory, so you don't have to choose certificate every time you open KeePass database. The cache is valid only in running KeePass application, so if you close the application, you would need choose the certificate again. This is feature of the plugin
-
It should display available certificates in your Windows including certificates stored on your Smart Card. Select a certificate that you encrypted database with
-
If you are using Smart Card, you would be prompted to enter a PIN, to be able to use certificate for KeePass database encryption
This would only apply, if you reinsert your Smart Card, because Windows caches used PIN, so you don't have to enter it every time you use Smart Card. This is feature of the Windows operating system
To be more secure, I recommend to use Smart Card that adds additional security layer to your KeePass database.
- it requires to enter PIN before anyone can access any certificate stored on Smart Card
- if you loose your Smart Card and someone will try to use it, there are only 3 attempts to enter valid PIN and if you don't enter valid PIN after 3rd try, the Smart Card is locked
- the certificate's Private Key is not accessible to be read (even from this plugin), so someone can't stole your sensitive data
- you can securely store KeePass database on shared online drive (like DropBox, OneDrive, Google Drive etc...), because you own the Smart Card so the certificate is safe
- if you are worried about leaked password used to encrypt KeePass database or your database was stolen (you lost laptop or some kind of virus / malware that can trace your keyboard inputs + it can upload somewhere your KeePass database), you don't have to worry, because without the Smart Card and PIN no one would be able open the database
I have tested these Smart Cards:
but in theory it should work with any Smart Card.
Each Smart Card has its own way how you can insert / import a certificate into it.
You can find more info on Yubico.com or GoldKey.com