diff --git a/src/Build/Clean.bat b/src/Build/Clean.bat
new file mode 100644
index 0000000..8ac526f
--- /dev/null
+++ b/src/Build/Clean.bat
@@ -0,0 +1,73 @@
+RMDIR /S /Q KeePass
+RMDIR /S /Q KeePass_Distrib
+RMDIR /S /Q KeePassLib
+RMDIR /S /Q KeePassLibDoc
+REM RMDIR /S /Q KeePassLibSD
+REM RMDIR /S /Q KeePassNtv
+RMDIR /S /Q ShInstUtil
+
+RMDIR /S /Q ..\Ext\Output
+
+RMDIR /S /Q ..\KeePass\obj
+DEL ..\KeePass\KeePass.csproj.user
+
+RMDIR /S /Q ..\KeePassLib\obj
+DEL ..\KeePassLib\KeePassLib.csproj.user
+
+REM RMDIR /S /Q ..\KeePassLibSD\obj
+REM DEL ..\KeePassLibSD\KeePassLibSD.csproj.user
+
+REM RMDIR /S /Q ..\ShInstUtil\obj
+REM DEL ..\ShInstUtil\ShInstUtil.csproj.user
+DEL ..\ShInstUtil\ShInstUtil.aps
+DEL ..\ShInstUtil\ShInstUtil.ncb
+DEL /A:H ..\ShInstUtil\ShInstUtil.suo
+DEL /Q ..\ShInstUtil\*.user
+
+DEL /A:H ..\KeePass.suo
+DEL ..\KeePass.ncb
+
+REM DEL /Q ..\KeePassNtv\*.aps
+REM DEL /Q ..\KeePassNtv\*.user
+
+RMDIR /S /Q ArcFourCipher
+RMDIR /S /Q ..\Plugins\ArcFourCipher\obj
+DEL ..\Plugins\ArcFourCipher\ArcFourCipher.csproj.user
+DEL /A:H ..\Plugins\ArcFourCipher\ArcFourCipher.suo
+
+RMDIR /S /Q KPScript
+RMDIR /S /Q ..\Plugins\KPScript\obj
+DEL ..\Plugins\KPScript\KPScript.csproj.user
+DEL /A:H ..\Plugins\KPScript\KPScript.suo
+
+RMDIR /S /Q SamplePlugin
+RMDIR /S /Q ..\Plugins\SamplePlugin\obj
+DEL ..\Plugins\SamplePlugin\SamplePlugin.csproj.user
+DEL /A:H ..\Plugins\SamplePlugin\SamplePlugin.suo
+
+RMDIR /S /Q ..\Plugins\SamplePluginCpp\Build
+DEL /Q ..\Plugins\SamplePluginCpp\*.aps
+DEL /Q ..\Plugins\SamplePluginCpp\*.user
+DEL /Q ..\Plugins\SamplePluginCpp\*.ncb
+DEL /A:H ..\Plugins\SamplePluginCpp\SamplePluginCpp.suo
+
+RMDIR /S /Q ..\Translation\TrlUtil\Build
+RMDIR /S /Q ..\Translation\TrlUtil\obj
+DEL ..\Translation\KeePass.config.xml
+DEL ..\Translation\KeePass.exe
+DEL ..\Translation\KeePass.exe.config
+DEL ..\Translation\KeePass.pdb
+DEL ..\Translation\KeePass.XmlSerializers.dll
+DEL ..\Translation\TrlUtil.exe
+DEL ..\Translation\TrlUtil.exe.config
+DEL ..\Translation\TrlUtil.pdb
+DEL ..\Translation\TrlUtil.vshost.exe
+DEL ..\Translation\TrlUtil.vshost.exe.manifest
+
+DEL /A:H ..\Ext\KeePassMsi\KeePassMsi.suo
+RMDIR /S /Q ..\Ext\KeePassMsi\.vs
+RMDIR /S /Q KeePassMsi
+
+RMDIR /S /Q KPScript
+
+CLS
\ No newline at end of file
diff --git a/src/Build/KeePassLib_Distrib/KeePassLib.dll b/src/Build/KeePassLib_Distrib/KeePassLib.dll
new file mode 100644
index 0000000..3c0f0d6
Binary files /dev/null and b/src/Build/KeePassLib_Distrib/KeePassLib.dll differ
diff --git a/src/Build/KeePassLib_Distrib/KeePassLib.xml b/src/Build/KeePassLib_Distrib/KeePassLib.xml
new file mode 100644
index 0000000..9cdaeee
--- /dev/null
+++ b/src/Build/KeePassLib_Distrib/KeePassLib.xml
@@ -0,0 +1,3152 @@
+
+
+
+ KeePassLib
+
+
+
+
+ A class containing various static path utility helper methods (like
+ stripping extension from a file, etc.).
+
+
+
+
+ Get the directory (path) of a file name. The returned string may be
+ terminated by a directory separator character. Example:
+ passing C:\\My Documents\\My File.kdb in
+ and true to
+ would produce this string: C:\\My Documents\\.
+
+ Full path of a file.
+ Append a terminating directory separator
+ character to the returned path.
+ If true, the returned path
+ is guaranteed to be a valid directory path (for example X:\\ instead
+ of X:, overriding ).
+ This should only be set to true, if the returned path is directly
+ passed to some directory API.
+ Directory of the file.
+
+
+
+ Gets the file name of the specified file (full path). Example:
+ if is C:\\My Documents\\My File.kdb
+ the returned string is My File.kdb.
+
+ Full path of a file.
+ File name of the specified file.
+
+
+
+ Strip the extension of a file.
+
+ Full path of a file with extension.
+ File name without extension.
+
+
+
+ Get the extension of a file.
+
+ Full path of a file with extension.
+ Extension without prepending dot.
+
+
+
+ Ensure that a path is terminated with a directory separator character.
+
+ Input path.
+ If true, a slash (/) is appended to
+ the string if it's not terminated already. If false, the
+ default system directory separator character is used.
+ Path having a directory separator as last character.
+
+
+
+ Get the host component of a URL.
+ This method is faster and more fault-tolerant than creating
+ an Uri object and querying its Host
+ property.
+
+
+ For the input s://u:p@d.tld:p/p?q#f the return
+ value is d.tld.
+
+
+
+
+ Expand shell variables in a string.
+ [0] is the value of %1, etc.
+
+
+
+
+ The fully qualified name of the form.
+
+
+
+
+ Serialization to KeePass KDBX files.
+
+
+ Serialization to KeePass KDBX files.
+
+
+ Serialization to KeePass KDBX files.
+
+
+ Serialization to KeePass KDBX files.
+
+
+
+
+ File identifier, first 32-bit value.
+
+
+
+
+ File identifier, second 32-bit value.
+
+
+
+
+ Maximum supported version of database files.
+ KeePass 2.07 has version 1.01, 2.08 has 1.02, 2.09 has 2.00,
+ 2.10 has 2.02, 2.11 has 2.04, 2.15 has 3.00, 2.20 has 3.01.
+ The first 2 bytes are critical (i.e. loading will fail, if the
+ file version is too high), the last 2 bytes are informational.
+
+
+
+
+ Load a KDBX file.
+
+ File to load.
+ Format.
+ Status logger (optional).
+
+
+
+ Load a KDBX file from a stream.
+
+ Stream to read the data from. Must contain
+ a KDBX stream.
+ Format.
+ Status logger (optional).
+
+
+
+ Save the contents of the current PwDatabase to a KDBX file.
+
+ Stream to write the KDBX file into.
+ Group containing all groups and
+ entries to write. If null, the complete database will
+ be written.
+ Format of the file to create.
+ Logger that recieves status information.
+
+
+
+ Default constructor.
+
+ The PwDatabase instance that the
+ class will load file data into or use to create a KDBX file.
+
+
+
+ Call this once to determine the current localization settings.
+
+
+
+
+ Detach binaries when opening a file. If this isn't null,
+ all binaries are saved to the specified path and are removed
+ from the database.
+
+
+
+
+ Contains KeePassLib-global definitions and enums.
+
+
+
+
+ Default identifier string for the title field.
+ Should not contain spaces, tabs or other whitespace.
+
+
+
+
+ Default identifier string for the user name field.
+ Should not contain spaces, tabs or other whitespace.
+
+
+
+
+ Default identifier string for the password field.
+ Should not contain spaces, tabs or other whitespace.
+
+
+
+
+ Default identifier string for the URL field.
+ Should not contain spaces, tabs or other whitespace.
+
+
+
+
+ Default identifier string for the notes field.
+ Should not contain spaces, tabs or other whitespace.
+
+
+
+
+ Maximum time (in milliseconds) after which the user interface
+ should be updated.
+
+
+
+
+ The product name.
+
+
+
+
+ A short, simple string representing the product name. The string
+ should contain no spaces, directory separator characters, etc.
+
+
+
+
+ Version, encoded as 32-bit unsigned integer.
+ 2.00 = 0x02000000, 2.01 = 0x02000100, ..., 2.18 = 0x02010800.
+ As of 2.19, the version is encoded component-wise per byte,
+ e.g. 2.19 = 0x02130000.
+ It is highly recommended to use FileVersion64 instead.
+
+
+
+
+ Version, encoded as 64-bit unsigned integer
+ (component-wise, 16 bits per component).
+
+
+
+
+ Version, encoded as string.
+
+
+
+
+ Product website URL. Terminated by a forward slash.
+
+
+
+
+ URL to the online translations page.
+
+
+
+
+ URL to the online plugins page.
+
+
+
+
+ Product donations URL.
+
+
+
+
+ URL to the root path of the online KeePass help. Terminated by
+ a forward slash.
+
+
+
+
+ URL to a TXT file (eventually compressed) that contains information
+ about the latest KeePass version available on the website.
+
+
+
+
+ A DateTime object that represents the time when the assembly
+ was loaded.
+
+
+
+
+ Default number of master key encryption/transformation rounds
+ (making dictionary attacks harder).
+
+
+
+
+ Default identifier string for the field which will contain TAN indices.
+
+
+
+
+ Default title of an entry that is really a TAN entry.
+
+
+
+
+ Prefix of a custom auto-type string field.
+
+
+
+
+ Default string representing a hidden password.
+
+
+
+
+ Default auto-type keystroke sequence. If no custom sequence is
+ specified, this sequence is used.
+
+
+
+
+ Default auto-type keystroke sequence for TAN entries. If no custom
+ sequence is specified, this sequence is used.
+
+
+
+
+ Check if a name is a standard field name.
+
+ Input field name.
+ Returns true, if the field name is a standard
+ field name (title, user name, password, ...), otherwise false.
+
+
+
+ Check whether an entry is a TAN entry.
+
+
+
+
+ Search parameters for group and entry searches.
+
+
+
+
+ Construct a new search parameters object.
+
+
+
+
+ String comparison type. Specifies the condition when the specified
+ text matches a group/entry string.
+
+
+
+
+ Only for serialization.
+
+
+
+
+ Memory protection configuration structure (for default fields).
+
+
+
+
+ Interface for objects that are deeply cloneable.
+
+ Reference type.
+
+
+
+ Deeply clone the object.
+
+ Cloned object.
+
+
+
+ Validate a key.
+
+ Key to validate.
+ Type of the validation to perform.
+ Returns null, if the validation is successful.
+ If there is a problem with the key, the returned string describes
+ the problem.
+
+
+
+ Name of your key validator (should be unique).
+
+
+
+
+ Generate HMAC-based one-time passwords as specified in RFC 4226.
+
+
+
+
+ A dictionary of ProtectedString objects.
+
+
+
+
+ Construct a new dictionary of protected strings.
+
+
+
+
+ Get one of the protected strings.
+
+ String identifier.
+ Protected string. If the string identified by
+ cannot be found, the function
+ returns null.
+ Thrown if the input
+ parameter is null.
+
+
+
+ Get one of the protected strings. The return value is never null.
+ If the requested string cannot be found, an empty protected string
+ object is returned.
+
+ String identifier.
+ Returns a protected string object. If the standard string
+ has not been set yet, the return value is an empty string ("").
+ Thrown if the input
+ parameter is null.
+
+
+
+ Test if a named string exists.
+
+ Name of the string to try.
+ Returns true if the string exists, otherwise false.
+ Thrown if
+ is null.
+
+
+
+ Get one of the protected strings. If the string doesn't exist, the
+ return value is an empty string ("").
+
+ Name of the requested string.
+ Requested string value or an empty string, if the named
+ string doesn't exist.
+ Thrown if the input
+ parameter is null.
+
+
+
+ Get one of the entry strings. If the string doesn't exist, the
+ return value is an empty string (""). If the string is
+ in-memory protected, the return value is PwDefs.HiddenPassword.
+
+ Name of the requested string.
+ Returns the requested string in plain-text or
+ PwDefs.HiddenPassword if the string cannot be found.
+ Thrown if the input
+ parameter is null.
+
+
+
+ Set a string.
+
+ Identifier of the string field to modify.
+ New value. This parameter must not be null.
+ Thrown if one of the input
+ parameters is null.
+
+
+
+ Delete a string.
+
+ Name of the string field to delete.
+ Returns true if the field has been successfully
+ removed, otherwise the return value is false.
+ Thrown if the input
+ parameter is null.
+
+
+
+ Get the number of strings.
+
+
+
+
+ A strongly-typed resource class, for looking up localized strings, etc.
+
+
+
+
+ Look up a localized string similar to
+ 'The algorithm is unknown.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The character set is invalid.'.
+
+
+
+
+ Look up a localized string similar to
+ 'There are too few characters in the character set.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Failed to initialize encryption/decryption stream!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The data is too large to be encrypted/decrypted securely using {PARAM}.'.
+
+
+
+
+ Look up a localized string similar to
+ 'entry'.
+
+
+
+
+ Look up a localized string similar to
+ 'An extended error report has been copied to the clipboard.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Expect 100-Continue responses'.
+
+
+
+
+ Look up a localized string similar to
+ 'Fatal Error'.
+
+
+
+
+ Look up a localized string similar to
+ 'A fatal error has occurred!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file is corrupted.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file header is corrupted.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Data is missing at the end of the file, i.e. the file is incomplete.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Less data than expected could be read from the file.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Failed to load the specified file!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file is locked, because the following user is currently writing to it:'.
+
+
+
+
+ Look up a localized string similar to
+ 'A newer KeePass version or a plugin is required to open this file.'.
+
+
+
+
+ Look up a localized string similar to
+ 'A newer KeePass version is required to open this file.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The target file might be corrupted. Please try saving again. If that fails, save the database to a different location.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Failed to save to the specified file!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file signature is invalid. Either the file isn't a KeePass database file at all or it is corrupted.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file is encrypted using an unknown encryption algorithm!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file is compressed using an unknown compression algorithm!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The file format version is unsupported.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Failed to create the final encryption/decryption key!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The .NET Framework/runtime under which KeePass is currently running does not support this operation.'.
+
+
+
+
+ Look up a localized string similar to
+ 'General'.
+
+
+
+
+ Look up a localized string similar to
+ 'group'.
+
+
+
+
+ Look up a localized string similar to
+ 'The master key is invalid!'.
+
+
+
+
+ Look up a localized string similar to
+ 'Make sure that the master key is correct and try it again.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Found invalid data while decoding.'.
+
+
+
+
+ Look up a localized string similar to
+ 'In order to import KeePass 1.x KDB files, create a new 2.x database file and click 'File' -> 'Import' in the main menu. In the import dialog, choose 'KeePass KDB (1.x)' as file format.'.
+
+
+
+
+ Look up a localized string similar to
+ '{PARAM}-bit key'.
+
+
+
+
+ Look up a localized string similar to
+ 'Database files cannot be used as key files.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The key and the hash do not match, i.e. the key or the hash is invalid.'.
+
+
+
+
+ Look up a localized string similar to
+ 'The length of the master key seed is invalid!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The selected file appears to be an old format'.
+
+
+
+
+ Look up a localized string similar to
+ 'Passive'.
+
+
+
+
+ Look up a localized string similar to
+ 'The path contains a backslash. Such paths are not supported (for security reasons).'.
+
+
+
+
+ Look up a localized string similar to
+ 'The pattern is invalid.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Pre-authenticate'.
+
+
+
+
+ Look up a localized string similar to
+ 'Failed to generate a password.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Structures are nested too deeply.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Timeout'.
+
+
+
+
+ Look up a localized string similar to
+ 'Please try it again in a few seconds.'.
+
+
+
+
+ Look up a localized string similar to
+ 'An unknown error occurred.'.
+
+
+
+
+ Look up a localized string similar to
+ 'Unknown header ID!'.
+
+
+
+
+ Look up a localized string similar to
+ 'Unknown key derivation function!'.
+
+
+
+
+ Look up a localized string similar to
+ 'The operating system did not grant KeePass read/write access to the user profile folder, where the protected user key is stored.'.
+
+
+
+
+ Look up a localized string similar to
+ 'User agent'.
+
+
+
+
+ Algorithms supported by CryptoRandomStream.
+
+
+
+
+ Not supported.
+
+
+
+
+ A variant of the ARCFour algorithm (RC4 incompatible).
+ Insecure; for backward compatibility only.
+
+
+
+
+ Salsa20 stream cipher algorithm.
+
+
+
+
+ ChaCha20 stream cipher algorithm.
+
+
+
+
+ A random stream class. The class is initialized using random
+ bytes provided by the caller. The produced stream has random
+ properties, but for the same seed always the same stream
+ is produced, i.e. this class can be used as stream cipher.
+
+
+
+
+ Construct a new cryptographically secure random stream object.
+
+ Algorithm to use.
+ Initialization key. Must not be null
+ and must contain at least 1 byte.
+
+
+
+ Get random bytes.
+
+ Number of random bytes to retrieve.
+ Returns random bytes.
+
+
+
+ Character stream class.
+
+
+
+
+ Size of a character in bytes.
+
+
+
+
+ Start signature of the text (byte order mark).
+ May be null or empty, if no signature is known.
+
+
+
+
+ A class containing various string helper methods.
+
+
+
+
+ Convert a string to a HTML sequence representing that string.
+
+ String to convert.
+ String, HTML-encoded.
+
+
+
+ Convert a Color to a HTML color identifier string.
+
+ Color to convert.
+ If this is true, an empty string
+ is returned if the color is transparent.
+ HTML color identifier string.
+
+
+
+ Format an exception and convert it to a string.
+
+ Exception to convert/format.
+ String representing the exception.
+
+
+
+ Removes all characters that are not valid XML characters,
+ according to https://www.w3.org/TR/xml/#charsets .
+
+ Source text.
+ Text containing only valid XML characters.
+
+
+
+ Normalize new line characters in a string. Input strings may
+ contain mixed new line character sequences from all commonly
+ used operating systems (i.e. \r\n from Windows, \n from Unix
+ and \r from MacOS.
+
+ String with mixed new line characters.
+ If true, new line characters
+ are normalized for Windows (\r\n); if false, new line
+ characters are normalized for Unix (\n).
+ String with normalized new line characters.
+
+
+
+ Split a string and include the separators in the splitted array.
+
+ String to split.
+ Separators.
+ Specifies whether separators are
+ matched case-sensitively or not.
+ Splitted string including separators.
+
+
+
+ Create a data URI (according to RFC 2397).
+
+ Data to encode.
+ Optional MIME type. If null,
+ an appropriate type is used.
+ Data URI.
+
+
+
+ Convert a data URI (according to RFC 2397) to binary data.
+
+ Data URI to decode.
+ Decoded binary data.
+
+
+
+ Remove placeholders from a string (wrapped in '{' and '}').
+ This doesn't remove environment variables (wrapped in '%').
+
+
+
+
+ Find a character that does not occur within a given text.
+
+
+
+
+ Generate random seeds and store them in .
+
+
+
+
+ Set the value of the private shown_raised member
+ variable of a form.
+
+ Previous shown_raised value.
+
+
+
+ Ensure that the file ~/.recently-used is valid (in order to
+ prevent Mono's FileDialog from crashing).
+
+
+
+
+ Member variable name of the control to be translated.
+
+
+
+
+ A XorredBuffer object stores data that is encrypted
+ using a XOR pad.
+
+
+
+
+ Construct a new XorredBuffer object.
+ The byte array must have the same
+ length as the byte array.
+ The XorredBuffer object takes ownership of the two byte
+ arrays, i.e. the caller must not use them afterwards.
+
+ Data with XOR pad applied.
+ XOR pad that can be used to decrypt the
+ byte array.
+
+
+
+ Get a copy of the plain-text. The caller is responsible
+ for clearing the byte array safely after using it.
+
+ Plain-text byte array.
+
+
+
+ Contains various static time structure manipulation and conversion
+ routines.
+
+
+
+
+ Length of a compressed PW_TIME structure in bytes.
+
+
+
+
+ Pack a DateTime object into 5 bytes. Layout: 2 zero bits,
+ year 12 bits, month 4 bits, day 5 bits, hour 5 bits, minute 6
+ bits, second 6 bits.
+
+
+
+
+ Unpack a packed time (5 bytes, packed by the PackTime
+ member function) to a DateTime object.
+
+ Packed time, 5 bytes.
+ Unpacked DateTime object.
+
+
+
+ Pack a DateTime object into 7 bytes (PW_TIME).
+
+ Object to be encoded.
+ Packed time, 7 bytes (PW_TIME).
+
+
+
+ Unpack a packed time (7 bytes, PW_TIME) to a DateTime object.
+
+ Packed time, 7 bytes.
+ Unpacked DateTime object.
+
+
+
+ Convert a DateTime object to a displayable string.
+
+ DateTime object to convert to a string.
+ String representing the specified DateTime object.
+
+
+
+ Parse a US textual date string, like e.g. "January 02, 2012".
+
+
+
+
+ Check equality of two times with precision 1 s, floor-rounded.
+ Ticks finer than 1 s are ignored.
+
+
+
+
+ Do not remember user name or password.
+
+
+
+
+ Remember the user name only, not the password.
+
+
+
+
+ Save both user name and password.
+
+
+
+
+ For serialization only; use Properties in code.
+
+
+
+
+ Status message types.
+
+
+
+
+ Default type: simple information type.
+
+
+
+
+ Warning message.
+
+
+
+
+ Error message.
+
+
+
+
+ Additional information. Depends on lines above.
+
+
+
+
+ Status logging interface.
+
+
+
+
+ Function which needs to be called when logging is started.
+
+ This string should roughly describe
+ the operation, of which the status is logged.
+ Specifies whether the
+ operation is written to the log or not.
+
+
+
+ Function which needs to be called when logging is ended
+ (i.e. when no more messages will be logged and when the
+ percent value won't change any more).
+
+
+
+
+ Set the current progress in percent.
+
+ Percent of work finished.
+ Returns true if the caller should continue
+ the current work.
+
+
+
+ Set the current status text.
+
+ Status text.
+ Type of the message.
+ Returns true if the caller should continue
+ the current work.
+
+
+
+ Check whether the user cancelled the current work.
+
+ Returns true if the caller should continue
+ the current work.
+
+
+
+ Interface for objects that support various times (creation time, last
+ access time, last modification time and expiry time). Offers
+ several helper functions (for example a function to touch the current
+ object).
+
+
+
+
+ Touch the object. This function updates the internal last access
+ time. If the parameter is true,
+ the last modification time gets updated, too. Each time you call
+ Touch, the usage count of the object is increased by one.
+
+ Update last modification time.
+
+
+
+ The date/time when the object was created.
+
+
+
+
+ The date/time when the object was last modified.
+
+
+
+
+ The date/time when the object was last accessed.
+
+
+
+
+ The date/time when the object expires.
+
+
+
+
+ Flag that determines whether the object expires.
+
+
+
+
+ Get or set the usage count of the object. To increase the usage
+ count by one, use the Touch function.
+
+
+
+
+ The date/time when the location of the object was last changed.
+
+
+
+
+ UUID of the engine. If you want to write an engine/plugin,
+ please contact the KeePass team to obtain a new UUID.
+
+
+
+
+ Name displayed in the list of available encryption/decryption
+ engines in the GUI.
+
+
+
+
+ Interface to a user key, like a password, key file data, etc.
+
+
+
+
+ Get key data. Querying this property is fast (it returns a
+ reference to a cached ProtectedBinary object).
+ If no key data is available, null is returned.
+
+
+
+
+ Let the user interface save the current database.
+
+ If true, the UI will not ask for
+ whether to synchronize or overwrite, it'll simply overwrite the
+ file.
+ Returns true if the file has been saved.
+
+
+
+ Latin-1 Supplement except U+00A0 (NBSP) and U+00AD (SHY).
+
+
+
+
+ Create a new, empty character set.
+
+
+
+
+ Remove all characters from this set.
+
+
+
+
+ Add characters to the set.
+
+ Character to add.
+
+
+
+ Add characters to the set.
+
+ String containing characters to add.
+
+
+
+ Convert the character set to a string containing all its characters.
+
+ String containing all character set characters.
+
+
+
+ Number of characters in this set.
+
+
+
+
+ Get a character of the set using an index.
+
+ Index of the character to get.
+ Character at the specified position. If the index is invalid,
+ an ArgumentOutOfRangeException is thrown.
+
+
+
+ Create a cryptographic key of length
+ (in bytes) from .
+
+
+
+
+ Password generator.
+
+
+
+
+ Rename/move a file. For local file system and WebDAV, the
+ specified file is moved, i.e. the file destination can be
+ in a different directory/path. In contrast, for FTP the
+ file is renamed, i.e. its destination must be in the same
+ directory/path.
+
+ Source file path.
+ Target file path.
+
+
+
+ A group containing subgroups and entries.
+
+
+
+
+ Search this group and all subgroups for entries.
+
+ Specifies the search parameters.
+ Entry list in which the search results
+ will be stored.
+
+
+
+ Search this group and all subgroups for entries.
+
+ Specifies the search parameters.
+ Entry list in which the search results
+ will be stored.
+ Optional status reporting object.
+
+
+
+ Construct a new, empty group.
+
+
+
+
+ Construct a new, empty group.
+
+ Create a new UUID for this group.
+ Set creation, last access and last modification times to the current time.
+
+
+
+ Construct a new group.
+
+ Create a new UUID for this group.
+ Set creation, last access and last modification times to the current time.
+ Name of the new group.
+ Icon of the new group.
+
+
+
+ Deeply clone the current group. The returned group will be an exact
+ value copy of the current object (including UUID, etc.).
+
+ Exact value copy of the current PwGroup object.
+
+
+
+ Assign properties to the current group based on a template group.
+
+ Template group. Must not be null.
+ Only set the properties of the template group
+ if it is newer than the current one.
+ If true, the
+ LocationChanged property is copied, otherwise not.
+
+
+
+ Touch the group. This function updates the internal last access
+ time. If the parameter is true,
+ the last modification time gets updated, too.
+
+ Modify last modification time.
+
+
+
+ Touch the group. This function updates the internal last access
+ time. If the parameter is true,
+ the last modification time gets updated, too.
+
+ Modify last modification time.
+ If true, all parent objects
+ get touched, too.
+
+
+
+ Get number of groups and entries in the current group. This function
+ can also traverse through all subgroups and accumulate their counts
+ (recursive mode).
+
+ If this parameter is true, all
+ subgroups and entries in subgroups will be counted and added to
+ the returned value. If it is false, only the number of
+ subgroups and entries of the current group is returned.
+ Number of subgroups.
+ Number of entries.
+
+
+
+ Traverse the group/entry tree in the current group. Various traversal
+ methods are available.
+
+ Specifies the traversal method.
+ Function that performs an action on
+ the currently visited group (see GroupHandler for more).
+ This parameter may be null, in this case the tree is traversed but
+ you don't get notifications for each visited group.
+ Function that performs an action on
+ the currently visited entry (see EntryHandler for more).
+ This parameter may be null.
+ Returns true if all entries and groups have been
+ traversed. If the traversal has been canceled by one of the two
+ handlers, the return value is false.
+
+
+
+ Pack all groups into one flat linked list of references (recursively).
+
+ Flat list of all groups.
+
+
+
+ Pack all entries into one flat linked list of references. Temporary
+ group IDs are assigned automatically.
+
+ A flat group list created by
+ GetFlatGroupList.
+ Flat list of all entries.
+
+
+
+ Enable protection of a specific string field type.
+
+ Name of the string field to protect or unprotect.
+ Enable protection or not.
+ Returns true, if the operation completed successfully,
+ otherwise false.
+
+
+
+ Find a group.
+
+ UUID identifying the group the caller is looking for.
+ If true, the search is recursive.
+ Returns reference to found group, otherwise null.
+
+
+
+ Find an object.
+
+ UUID of the object to find.
+ Specifies whether to search recursively.
+ If null, groups and entries are
+ searched. If true, only entries are searched. If false,
+ only groups are searched.
+ Reference to the object, if found. Otherwise null.
+
+
+
+ Try to find a subgroup and create it, if it doesn't exist yet.
+
+ Name of the subgroup.
+ If the group isn't found: create it.
+ Returns a reference to the requested group or null if
+ it doesn't exist and shouldn't be created.
+
+
+
+ Find an entry.
+
+ UUID identifying the entry the caller is looking for.
+ If true, the search is recursive.
+ Returns reference to found entry, otherwise null.
+
+
+
+ Get the full path of the group.
+
+
+
+
+ Get the full path of the group.
+
+ String that separates the group
+ names.
+ Specifies whether the returned
+ path starts with the topmost group.
+
+
+
+ Assign new UUIDs to groups and entries.
+
+ Create new UUIDs for subgroups.
+ Create new UUIDs for entries.
+ Recursive tree traversal.
+
+
+
+ Find/create a subtree of groups.
+
+ Tree string.
+ Separators that delimit groups in the
+ strTree parameter.
+
+
+
+ Get the depth of this group (i.e. the number of ancestors).
+
+ Depth of this group.
+
+
+
+ Get a list of subgroups (not including this one).
+
+ If true, subgroups are added
+ recursively, i.e. all child groups are returned, too.
+ List of subgroups. If is
+ true, it is guaranteed that subsubgroups appear after
+ subgroups.
+
+
+
+ Get objects contained in this group.
+
+ Specifies whether to search recursively.
+ If null, the returned list contains
+ groups and entries. If true, the returned list contains only
+ entries. If false, the returned list contains only groups.
+ List of objects.
+
+
+
+ Add a subgroup to this group.
+
+ Group to be added. Must not be null.
+ If this parameter is true, the
+ parent group reference of the subgroup will be set to the current
+ group (i.e. the current group takes ownership of the subgroup).
+
+
+
+ Add a subgroup to this group.
+
+ Group to be added. Must not be null.
+ If this parameter is true, the
+ parent group reference of the subgroup will be set to the current
+ group (i.e. the current group takes ownership of the subgroup).
+ If true, the
+ LocationChanged property of the subgroup is updated.
+
+
+
+ Add an entry to this group.
+
+ Entry to be added. Must not be null.
+ If this parameter is true, the
+ parent group reference of the entry will be set to the current
+ group (i.e. the current group takes ownership of the entry).
+
+
+
+ Add an entry to this group.
+
+ Entry to be added. Must not be null.
+ If this parameter is true, the
+ parent group reference of the entry will be set to the current
+ group (i.e. the current group takes ownership of the entry).
+ If true, the
+ LocationChanged property of the entry is updated.
+
+
+
+ UUID of this group.
+
+
+
+
+ Reference to the group to which this group belongs. May be null.
+
+
+
+
+ The date/time when the location of the object was last changed.
+
+
+
+
+ The name of this group. Cannot be null.
+
+
+
+
+ Comments about this group. Cannot be null.
+
+
+
+
+ Icon of the group.
+
+
+
+
+ Get the custom icon ID. This value is 0, if no custom icon is
+ being used (i.e. the icon specified by the IconID property
+ should be displayed).
+
+
+
+
+ A flag that specifies if the group is shown as expanded or
+ collapsed in the user interface.
+
+
+
+
+ The date/time when this group was created.
+
+
+
+
+ The date/time when this group was last modified.
+
+
+
+
+ The date/time when this group was last accessed (read).
+
+
+
+
+ The date/time when this group expires.
+
+
+
+
+ Flag that determines if the group expires.
+
+
+
+
+ Get or set the usage count of the group. To increase the usage
+ count by one, use the Touch function.
+
+
+
+
+ Get a list of subgroups in this group.
+
+
+
+
+ Get a list of entries in this group.
+
+
+
+
+ A flag specifying whether this group is virtual or not. Virtual
+ groups can contain links to entries stored in other groups.
+ Note that this flag has to be interpreted and set by the calling
+ code; it won't prevent you from accessing and modifying the list
+ of entries in this group in any way.
+
+
+
+
+ Default auto-type keystroke sequence for all entries in
+ this group. This property can be an empty string, which
+ means that the value should be inherited from the parent.
+
+
+
+
+ Custom data container that can be used by plugins to store
+ own data in KeePass groups.
+ The data is stored in the encrypted part of encrypted
+ database files.
+ Use unique names for your items, e.g. "PluginName_ItemName".
+
+
+
+
+ Password generation function.
+
+ Password generation options chosen
+ by the user. This may be null, if the default
+ options should be used.
+ Source that the algorithm
+ can use to generate random numbers.
+ Generated password or null in case
+ of failure. If returning null, the caller assumes
+ that an error message has already been shown to the user.
+
+
+
+ Each custom password generation algorithm must have
+ its own unique UUID.
+
+
+
+
+ Displayable name of the password generation algorithm.
+
+
+
+
+ A list of auto-type associations.
+
+
+
+
+ Construct a new auto-type associations list.
+
+
+
+
+ Remove all associations.
+
+
+
+
+ Clone the auto-type associations list.
+
+ New, cloned object.
+
+
+
+ Specify whether auto-type is enabled or not.
+
+
+
+
+ Specify whether the typing should be obfuscated.
+
+
+
+
+ The default keystroke sequence that is auto-typed if
+ no matching window is found in the Associations
+ container.
+
+
+
+
+ Get all auto-type window/keystroke sequence pairs.
+
+
+
+
+ Name of your key provider (should be unique).
+
+
+
+
+ Property indicating whether the provider is exclusive.
+ If the provider is exclusive, KeePass does not allow other
+ key sources (master password, Windows user account, ...)
+ to be combined with the provider.
+ Key providers typically should return false
+ (to allow non-exclusive use), i.e. do not override this
+ property.
+
+
+
+
+ Property that specifies whether the returned key data
+ gets hashed by KeePass first or is written directly to
+ the user key data stream.
+ Standard key provider plugins should return false
+ (i.e. don't overwrite this property). Returning true
+ may cause severe security problems and is highly
+ discouraged.
+
+
+
+
+ This property specifies whether the GetKey method might
+ show a form or dialog. If there is any chance that the method shows
+ one, this property must return true. Only if it's guaranteed
+ that the GetKey method doesn't show any form or dialog, this
+ property should return false.
+
+
+
+
+ This property specifies whether the key provider is compatible
+ with the secure desktop mode. This almost never is the case,
+ so you usually won't override this property.
+
+
+
+
+ Implementation of the ChaCha20 cipher with a 96-bit nonce,
+ as specified in RFC 7539.
+ https://tools.ietf.org/html/rfc7539
+
+
+
+
+ Constructor.
+
+ Key (32 bytes).
+ Nonce (12 bytes).
+ If false, the RFC 7539 version
+ of ChaCha20 is used. In this case, only 256 GB of data can be
+ encrypted securely (because the block counter is a 32-bit variable);
+ an attempt to encrypt more data throws an exception.
+ If is true, the 32-bit
+ counter overflows to another 32-bit variable (i.e. the counter
+ effectively is a 64-bit variable), like in the original ChaCha20
+ specification by D. J. Bernstein (which has a 64-bit counter and a
+ 64-bit nonce). To be compatible with this version, the 64-bit nonce
+ must be stored in the last 8 bytes of
+ and the first 4 bytes must be 0.
+ If the IV was generated randomly, a 12-byte IV and a large counter
+ can be used to securely encrypt more than 256 GB of data (but note
+ this is incompatible with RFC 7539 and the original specification).
+
+
+
+ List of objects that implement IDeepCloneable
+ and cannot be null.
+
+ Object type.
+
+
+
+ Type of the password generator. Different types like generators
+ based on given patterns, based on character sets, etc. are
+ available.
+
+
+
+
+ Generator based on character spaces/sets, i.e. groups
+ of characters like lower-case, upper-case or numeric characters.
+
+
+
+
+ Password generation based on a pattern. The user has provided
+ a pattern, which describes how the generated password has to
+ look like.
+
+
+
+
+ Cryptographically secure pseudo-random number generator.
+ The returned values are unpredictable and cannot be reproduced.
+ CryptoRandom is a singleton class.
+
+
+
+
+ Update the internal seed of the random number generator based
+ on entropy data.
+ This method is thread-safe.
+
+ Entropy bytes.
+
+
+
+ Get a number of cryptographically strong random bytes.
+ This method is thread-safe.
+
+ Number of requested random bytes.
+ A byte array consisting of
+ random bytes.
+
+
+
+ Get the number of random bytes that this instance generated so far.
+ Note that this number can be higher than the number of random bytes
+ actually requested using the GetRandomBytes method.
+
+
+
+
+ Event that is triggered whenever the internal GenerateRandom256
+ method is called to generate random bytes.
+
+
+
+
+ Interface to native library (library containing fast versions of
+ several cryptographic functions).
+
+
+
+
+ Determine if the native library is installed.
+
+ Returns true, if the native library is installed.
+
+
+
+ Transform a key.
+
+ Source and destination buffer.
+ Key to use for the transformation.
+ Number of transformation rounds.
+ Returns true, if the key was transformed successfully.
+
+
+
+ Benchmark key transformation.
+
+ Number of milliseconds to perform the benchmark.
+ Number of transformations done.
+ Returns true, if the benchmark was successful.
+
+
+
+ If true, the native library is used.
+
+
+
+
+ Resize an image.
+
+ Image to resize.
+ Width of the returned image.
+ Height of the returned image.
+ Flags to customize scaling behavior.
+ Resized image. This object is always different
+ from (i.e. they can be
+ disposed separately).
+
+
+
+ Buffer manipulation and conversion routines.
+
+
+
+
+ Convert a hexadecimal string to a byte array. The input string must be
+ even (i.e. its length is a multiple of 2).
+
+ String containing hexadecimal characters.
+ Returns a byte array. Returns null if the string parameter
+ was null or is an uneven string (i.e. if its length isn't a
+ multiple of 2).
+ Thrown if
+ is null.
+
+
+
+ Convert a byte array to a hexadecimal string.
+
+ Input byte array.
+ Returns the hexadecimal string representing the byte
+ array. Returns null, if the input byte array was null. Returns
+ an empty string, if the input byte array has length 0.
+
+
+
+ Decode Base32 strings according to RFC 4648.
+
+
+
+
+ Set all bytes in a byte array to zero.
+
+ Input array. All bytes of this array
+ will be set to zero.
+
+
+
+ Set all elements of an array to the default value.
+
+ Input array.
+
+
+
+ Convert 2 bytes to a 16-bit unsigned integer (little-endian).
+
+
+
+
+ Convert 2 bytes to a 16-bit unsigned integer (little-endian).
+
+
+
+
+ Convert 4 bytes to a 32-bit unsigned integer (little-endian).
+
+
+
+
+ Convert 4 bytes to a 32-bit unsigned integer (little-endian).
+
+
+
+
+ Convert 8 bytes to a 64-bit unsigned integer (little-endian).
+
+
+
+
+ Convert 8 bytes to a 64-bit unsigned integer (little-endian).
+
+
+
+
+ Convert a 16-bit unsigned integer to 2 bytes (little-endian).
+
+
+
+
+ Convert a 32-bit unsigned integer to 4 bytes (little-endian).
+
+
+
+
+ Convert a 32-bit unsigned integer to 4 bytes (little-endian).
+
+
+
+
+ Convert a 64-bit unsigned integer to 8 bytes (little-endian).
+
+
+
+
+ Convert a 64-bit unsigned integer to 8 bytes (little-endian).
+
+
+
+
+ Fast 32-bit hash (e.g. for hash tables).
+ The algorithm might change in the future; do not store
+ the hashes for later use.
+
+
+
+
+ A user key depending on the currently logged on Windows user account.
+
+
+
+
+ Construct a user account key.
+
+
+
+
+ Get key data. Querying this property is fast (it returns a
+ reference to a cached ProtectedBinary object).
+ If no key data is available, null is returned.
+
+
+
+
+ Function definition of a method that performs an action on a group.
+ When traversing the internal tree, this function will be invoked
+ for all visited groups.
+
+ Currently visited group.
+ You must return true if you want to continue the
+ traversal. If you want to immediately stop the whole traversal,
+ return false.
+
+
+
+ Function definition of a method that performs an action on an entry.
+ When traversing the internal tree, this function will be invoked
+ for all visited entries.
+
+ Currently visited entry.
+ You must return true if you want to continue the
+ traversal. If you want to immediately stop the whole traversal,
+ return false.
+
+
+
+ Pool of encryption/decryption algorithms (ciphers).
+
+
+
+
+ Remove all cipher engines from the current pool.
+
+
+
+
+ Add a cipher engine to the pool.
+
+ Cipher engine to add. Must not be null.
+
+
+
+ Get a cipher identified by its UUID.
+
+ UUID of the cipher to return.
+ Reference to the requested cipher. If the cipher is
+ not found, null is returned.
+
+
+
+ Get the index of a cipher. This index is temporary and should
+ not be stored or used to identify a cipher.
+
+ UUID of the cipher.
+ Index of the requested cipher. Returns -1 if
+ the specified cipher is not found.
+
+
+
+ Get the index of a cipher. This index is temporary and should
+ not be stored or used to identify a cipher.
+
+ Name of the cipher. Note that
+ multiple ciphers can have the same name. In this case, the
+ first matching cipher is returned.
+ Cipher with the specified name or -1 if
+ no cipher with that name is found.
+
+
+
+ Get the number of cipher engines in this pool.
+
+
+
+
+ Get the cipher engine at the specified position. Throws
+ an exception if the index is invalid. You can use this
+ to iterate over all ciphers, but do not use it to
+ identify ciphers.
+
+ Index of the requested cipher engine.
+ Reference to the cipher engine at the specified
+ position.
+
+
+
+ The core password manager class. It contains a number of groups, which
+ contain the actual entries.
+
+
+
+
+ Constructs an empty password manager object.
+
+
+
+
+ Initialize the class for managing a new database. Previously loaded
+ data is deleted.
+
+ I/O connection of the new database.
+ Key to open the database.
+
+
+
+ Open a database. The URL may point to any supported data source.
+
+ I/O connection to load the database from.
+ Key used to open the specified database.
+ Logger, which gets all status messages.
+
+
+
+ Save the currently open database. The file is written to the
+ location it has been opened from.
+
+ Logger that recieves status information.
+
+
+
+ Save the currently open database to a different location. If
+ is true, the specified
+ location is made the default location for future saves
+ using SaveDatabase.
+
+ New location to serialize the database to.
+ If true, the new location is made
+ the standard location for the database. If false, a copy of the
+ currently open database is saved to the specified location, but it
+ isn't made the default location (i.e. no lock files will be moved for
+ example).
+ Logger that recieves status information.
+
+
+
+ Closes the currently open database. No confirmation message
+ is shown before closing. Unsaved changes will be lost.
+
+
+
+
+ Load only the unencrypted header of a database file.
+ In the returned database object, any data that is not stored
+ in the unencrypted header is set to its default value.
+ Intended primarily for plugins.
+
+
+
+
+ Get the index of a custom icon.
+
+ ID of the icon.
+ Index of the icon.
+
+
+
+ Get a custom icon. This method can return null,
+ e.g. if no cached image of the icon is available.
+
+ ID of the icon.
+ Width of the returned image. If this is
+ negative, the image is returned in its original size.
+ Height of the returned image. If this is
+ negative, the image is returned in its original size.
+
+
+
+ Get the root group that contains all groups and entries stored in the
+ database.
+
+ Root group. The return value is null, if the database
+ is not open.
+
+
+
+ IOConnection of the currently open database file.
+ Is never null.
+
+
+
+
+ If this is true, a database is currently open.
+
+
+
+
+ Modification flag. If true, the class has been modified and the
+ user interface should prompt the user to save the changes before
+ closing the database for example.
+
+
+
+
+ The user key used for database encryption. This key must be created
+ and set before using any of the database load/save functions.
+
+
+
+
+ Name of the database.
+
+
+
+
+ Database description.
+
+
+
+
+ Default user name used for new entries.
+
+
+
+
+ Number of days until history entries are being deleted
+ in a database maintenance operation.
+
+
+
+
+ The encryption algorithm used to encrypt the data part of the database.
+
+
+
+
+ Compression algorithm used to encrypt the data part of the database.
+
+
+
+
+ Memory protection configuration (for default fields).
+
+
+
+
+ Get a list of all deleted objects.
+
+
+
+
+ Get all custom icons stored in this database.
+
+
+
+
+ This is a dirty-flag for the UI. It is used to indicate when an
+ icon list update is required.
+
+
+
+
+ UUID of the group containing template entries. May be
+ PwUuid.Zero, if no entry templates group has been specified.
+
+
+
+
+ Custom data container that can be used by plugins to store
+ own data in KeePass databases.
+ The data is stored in the encrypted part of encrypted
+ database files.
+ Use unique names for your items, e.g. "PluginName_ItemName".
+
+
+
+
+ Custom data container that can be used by plugins to store
+ own data in KeePass databases.
+ The data is stored in the *unencrypted* part of database files,
+ and it is not supported by all file formats (e.g. supported by KDBX,
+ unsupported by XML).
+ It is highly recommended to use CustomData instead,
+ if possible.
+ Use unique names for your items, e.g. "PluginName_ItemName".
+
+
+
+
+ Hash value of the primary file on disk (last read or last write).
+ A call to SaveAs without making the saved file primary will
+ not change this hash. May be null.
+
+
+
+
+ Detach binaries when opening a file. If this isn't null,
+ all binaries are saved to the specified path and are removed
+ from the database.
+
+
+
+
+ Localized application name.
+
+
+
+
+ Create a deep copy.
+
+
+
+
+ Unsupported.
+
+
+
+
+ Length of an encryption key in bytes.
+ The base ICipherEngine assumes 32.
+
+
+
+
+ Length of the initialization vector in bytes.
+ The base ICipherEngine assumes 16.
+
+
+
+
+ Represents a key. A key can be build up using several user key data sources
+ like a password, a key file, the currently logged on user credentials,
+ the current computer ID, etc.
+
+
+
+
+ Construct a new, empty key object.
+
+
+
+
+ Add a user key.
+
+ User key to add.
+
+
+
+ Remove a user key.
+
+ User key to remove.
+ Returns true if the key was removed successfully.
+
+
+
+ Test whether the composite key contains a specific type of
+ user keys (password, key file, ...). If at least one user
+ key of that type is present, the function returns true.
+
+ User key type.
+ Returns true, if the composite key contains
+ a user key of the specified type.
+
+
+
+ Get the first user key of a specified type.
+
+ Type of the user key to get.
+ Returns the first user key of the specified type
+ or null if no key of that type is found.
+
+
+
+ Creates the composite key from the supplied user key sources (password,
+ key file, user account, computer ID, etc.).
+
+
+
+
+ Generate a 32-byte (256-bit) key from the composite key.
+
+
+
+
+ List of all user keys contained in the current composite key.
+
+
+
+
+ A strongly-typed resource class, for looking up localized strings, etc.
+
+
+
+
+ Look up a localized string similar to
+ 'Test'.
+
+
+
+
+ Get the icon as an Image (original size).
+
+
+
+
+ Get the icon as an Image (with the specified size).
+
+ Width of the returned image.
+ Height of the returned image.
+
+
+
+ A class that offers static functions to estimate the quality of
+ passwords.
+
+
+
+
+ Estimate the quality of a password.
+
+ Password to check.
+ Estimated bit-strength of the password.
+
+
+
+ Estimate the quality of a password.
+
+ Password to check, UTF-8 encoded.
+ Estimated bit-strength of the password.
+
+
+
+ The KdbxFile class supports saving the data to various
+ formats.
+
+
+
+
+ The default, encrypted file format.
+
+
+
+
+ Use this flag when exporting data to a plain-text XML file.
+
+
+
+
+ If this property is set to a non-null stream, all data that
+ is read from the input stream is automatically written to
+ the copy stream (before returning the read data).
+
+
+
+
+ Represents an UUID of a password entry or group. Once created,
+ PwUuid objects aren't modifyable anymore (immutable).
+
+
+
+
+ Standard size in bytes of a UUID.
+
+
+
+
+ Zero UUID (all bytes are zero).
+
+
+
+
+ Construct a new UUID object.
+
+ If this parameter is true, a new
+ UUID is generated. If it is false, the UUID is initialized
+ to zero.
+
+
+
+ Construct a new UUID object.
+
+ Initial value of the PwUuid object.
+
+
+
+ Create a new, random UUID.
+
+ Returns true if a random UUID has been generated,
+ otherwise it returns false.
+
+
+
+ Convert the UUID to its string representation.
+
+ String containing the UUID value.
+
+
+
+ Get the 16 UUID bytes.
+
+
+
+
+ Name of the provider that generated the custom key.
+
+
+
+
+ Compression algorithm specifiers.
+
+
+
+
+ No compression.
+
+
+
+
+ GZip compression.
+
+
+
+
+ Virtual field: currently known number of algorithms. Should not be used
+ by plugins or libraries -- it's used internally only.
+
+
+
+
+ Tree traversal methods.
+
+
+
+
+ Don't traverse the tree.
+
+
+
+
+ Traverse the tree in pre-order mode, i.e. first visit all items
+ in the current node, then visit all subnodes.
+
+
+
+
+ Methods for merging databases/entries.
+
+
+
+
+ Icon identifiers for groups and password entries.
+
+
+
+
+ Virtual identifier -- represents the number of icons.
+
+
+
+
+ Use default user credentials (provided by the system).
+
+
+
+
+ Default or Manual, depending on whether
+ manual credentials are available.
+ This type exists for supporting upgrading from KeePass
+ 2.28 to 2.29; the user cannot select this type.
+
+
+
+
+ Comparison modes for in-memory protected objects.
+
+
+
+
+ Ignore the in-memory protection states.
+
+
+
+
+ Ignore the in-memory protection states of standard
+ objects; do compare in-memory protection states of
+ custom objects.
+
+
+
+
+ Compare in-memory protection states.
+
+
+
+
+ Empty standard string fields are considered to be the
+ same as non-existing standard string fields.
+ This doesn't affect custom string comparisons.
+
+
+
+
+ The I/O connection is being opened for reading.
+
+
+
+
+ The I/O connection is being opened for writing.
+
+
+
+
+ The I/O connection is being opened for testing
+ whether a file/object exists.
+
+
+
+
+ The I/O connection is being opened for deleting a file/object.
+
+
+
+
+ The I/O connection is being opened for renaming/moving a file/object.
+
+
+
+
+ This flag prevents any handles being garbage-collected
+ before the started process has terminated, without
+ blocking the current thread.
+
+
+
+
+ UIIcon indicates that the returned image is going
+ to be displayed as icon in the UI and that it is not
+ subject to future changes in size.
+
+
+
+
+ A class representing a password entry. A password entry consists of several
+ fields like title, user name, password, etc. Each password entry has a
+ unique ID (UUID).
+
+
+
+
+ Construct a new, empty password entry. Member variables will be initialized
+ to their default values.
+
+ If true, a new UUID will be created
+ for this entry. If false, the UUID is zero and you must set it
+ manually later.
+ If true, the creation, last modification
+ and last access times will be set to the current system time.
+
+
+
+ Clone the current entry. The returned entry is an exact value copy
+ of the current entry (including UUID and parent group reference).
+ All mutable members are cloned.
+
+ Exact value clone. All references to mutable values changed.
+
+
+
+ Assign properties to the current entry based on a template entry.
+
+ Template entry. Must not be null.
+ Only set the properties of the template entry
+ if it is newer than the current one.
+ If true, the history will be
+ copied, too.
+ If true, the
+ LocationChanged property is copied, otherwise not.
+
+
+
+ Touch the entry. This function updates the internal last access
+ time. If the parameter is true,
+ the last modification time gets updated, too.
+
+ Modify last modification time.
+
+
+
+ Touch the entry. This function updates the internal last access
+ time. If the parameter is true,
+ the last modification time gets updated, too.
+
+ Modify last modification time.
+ If true, all parent objects
+ get touched, too.
+
+
+
+ Create a backup of this entry. The backup item doesn't contain any
+ history items.
+
+
+
+
+ Create a backup of this entry. The backup item doesn't contain any
+ history items.
+ If this parameter isn't null,
+ the history list is maintained automatically (i.e. old backups are
+ deleted if there are too many or the history size is too large).
+ This parameter may be null (no maintenance then).
+
+
+
+
+ Restore an entry snapshot from backups.
+
+ Index of the backup item, to which
+ should be reverted.
+
+
+
+ Restore an entry snapshot from backups.
+
+ Index of the backup item, to which
+ should be reverted.
+ If this parameter isn't null,
+ the history list is maintained automatically (i.e. old backups are
+ deleted if there are too many or the history size is too large).
+ This parameter may be null (no maintenance then).
+
+
+
+ Delete old history entries if there are too many or the
+ history size is too large.
+ If one or more history entries have been deleted,
+ true is returned. Otherwise false.
+
+
+
+
+ Approximate the total size (in process memory) of this entry
+ in bytes (including strings, binaries and history entries).
+
+ Size in bytes.
+
+
+
+ UUID of this entry.
+
+
+
+
+ Reference to a group which contains the current entry.
+
+
+
+
+ The date/time when the location of the object was last changed.
+
+
+
+
+ Get or set all entry strings.
+
+
+
+
+ Get or set all entry binaries.
+
+
+
+
+ Get or set all auto-type window/keystroke sequence associations.
+
+
+
+
+ Get all previous versions of this entry (backups).
+
+
+
+
+ Image ID specifying the icon that will be used for this entry.
+
+
+
+
+ Get the custom icon ID. This value is 0, if no custom icon is
+ being used (i.e. the icon specified by the IconID property
+ should be displayed).
+
+
+
+
+ Get or set the foreground color of this entry.
+
+
+
+
+ Get or set the background color of this entry.
+
+
+
+
+ The date/time when this entry was created.
+
+
+
+
+ The date/time when this entry was last modified.
+
+
+
+
+ The date/time when this entry was last accessed (read).
+
+
+
+
+ The date/time when this entry expires. Use the Expires property
+ to specify if the entry does actually expire or not.
+
+
+
+
+ Specifies whether the entry expires or not.
+
+
+
+
+ Get or set the usage count of the entry. To increase the usage
+ count by one, use the Touch function.
+
+
+
+
+ Entry-specific override URL.
+
+
+
+
+ List of tags associated with this entry.
+
+
+
+
+ Custom data container that can be used by plugins to store
+ own data in KeePass entries.
+ The data is stored in the encrypted part of encrypted
+ database files.
+ Use unique names for your items, e.g. "PluginName_ItemName".
+
+
+
+
+ A string that is protected in process memory.
+ ProtectedString objects are immutable and thread-safe.
+
+
+
+
+ Construct a new protected string object. Protection is
+ disabled.
+
+
+
+
+ Construct a new protected string. The string is initialized
+ to the value supplied in the parameters.
+
+ If this parameter is true,
+ the string will be protected in memory (encrypted). If it
+ is false, the string will be stored as plain-text.
+ The initial string value.
+
+
+
+ Construct a new protected string. The string is initialized
+ to the value supplied in the parameters (UTF-8 encoded string).
+
+ If this parameter is true,
+ the string will be protected in memory (encrypted). If it
+ is false, the string will be stored as plain-text.
+ The initial string value, encoded as
+ UTF-8 byte array. This parameter won't be modified; the caller
+ is responsible for clearing it.
+
+
+
+ Construct a new protected string. The string is initialized
+ to the value passed in the XorredBuffer object.
+
+ Enable protection or not.
+ XorredBuffer object containing the
+ string in UTF-8 representation. The UTF-8 string must not
+ be null-terminated.
+
+
+
+ Convert the protected string to a standard string object.
+ Be careful with this function, as the returned string object
+ isn't protected anymore and stored in plain-text in the
+ process memory.
+
+ Plain-text string. Is never null.
+
+
+
+ Read out the string and return it as a char array.
+ The returned array is not protected and should be cleared by
+ the caller.
+
+ Plain-text char array.
+
+
+
+ Read out the string and return a byte array that contains the
+ string encoded using UTF-8.
+ The returned array is not protected and should be cleared by
+ the caller.
+
+ Plain-text UTF-8 byte array.
+
+
+
+ Get the string as an UTF-8 sequence xorred with bytes
+ from a CryptoRandomStream.
+
+
+
+
+ Get an empty ProtectedString object, without protection.
+
+
+
+
+ Get an empty ProtectedString object, with protection turned on.
+
+
+
+
+ A flag specifying whether the ProtectedString object
+ has turned on memory protection or not.
+
+
+
+
+ Length of the protected string, in characters.
+
+
+
+
+ A protected binary, i.e. a byte array that is encrypted in memory.
+ A ProtectedBinary object is immutable and thread-safe.
+
+
+
+
+ Construct a new, empty protected binary data object.
+ Protection is disabled.
+
+
+
+
+ Construct a new protected binary data object.
+
+ If this paremeter is true,
+ the data will be encrypted in memory. If it is false, the
+ data is stored in plain-text in the process memory.
+ Value of the protected object.
+ The input parameter is not modified and
+ ProtectedBinary doesn't take ownership of the data,
+ i.e. the caller is responsible for clearing it.
+
+
+
+ Construct a new protected binary data object.
+
+ If this paremeter is true,
+ the data will be encrypted in memory. If it is false, the
+ data is stored in plain-text in the process memory.
+ Value of the protected object.
+ The input parameter is not modified and
+ ProtectedBinary doesn't take ownership of the data,
+ i.e. the caller is responsible for clearing it.
+ Offset for .
+ Size for .
+
+
+
+ Construct a new protected binary data object.
+ Copy the data from a XorredBuffer object.
+
+ Enable protection or not.
+ XorredBuffer object containing the data.
+
+
+
+ Get a copy of the protected data as a byte array.
+ Please note that the returned byte array is not protected and
+ can therefore been read by any other application.
+ Make sure that your clear it properly after usage.
+
+ Unprotected byte array. This is always a copy of the internal
+ protected data and can therefore be cleared safely.
+
+
+
+ Get the data xorred with bytes from a CryptoRandomStream.
+
+
+
+
+ A plugin can provide a custom memory protection method
+ by assigning a non-null delegate to this property.
+
+
+
+
+ A flag specifying whether the ProtectedBinary object has
+ turned on memory protection or not.
+
+
+
+
+ Length of the stored data.
+
+
+
+
+ Class containing self-test methods.
+
+
+
+
+ Perform a self-test.
+
+
+
+
+ Application-wide logging services.
+
+
+
+
+ Represents an object that has been deleted.
+
+
+
+
+ Construct a new PwDeletedObject object.
+
+
+
+
+ Clone the object.
+
+ Value copy of the current object.
+
+
+
+ UUID of the entry that has been deleted.
+
+
+
+
+ The date/time when the entry has been deleted.
+
+
+
+
+ Master password/passphrase as provided by the user.
+
+
+
+
+ Get the password as protected string. This is null
+ unless remembering the password has been turned on.
+
+
+
+
+ Get key data. Querying this property is fast (it returns a
+ reference to a cached ProtectedBinary object).
+ If no key data is available, null is returned.
+
+
+
+
+ A list of ProtectedBinary objects (dictionary).
+
+
+
+
+ Construct a new list of protected binaries.
+
+
+
+
+ Clone the current ProtectedBinaryList object, including all
+ stored protected strings.
+
+ New ProtectedBinaryList object.
+
+
+
+ Get one of the stored binaries.
+
+ Binary identifier.
+ Protected binary. If the binary identified by
+ cannot be found, the function
+ returns null.
+ Thrown if the input
+ parameter is null.
+
+
+
+ Set a binary object.
+
+ Identifier of the binary field to modify.
+ New value. This parameter must not be null.
+ Thrown if any of the input
+ parameters is null.
+
+
+
+ Remove a binary object.
+
+ Identifier of the binary field to remove.
+ Returns true if the object has been successfully
+ removed, otherwise false.
+ Thrown if the input parameter
+ is null.
+
+
+
+ Get the number of binaries in this entry.
+
+
+
+
diff --git a/src/Build/PrepMonoDev.sh b/src/Build/PrepMonoDev.sh
new file mode 100644
index 0000000..af5ffcb
--- /dev/null
+++ b/src/Build/PrepMonoDev.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+kpBuild="$(pwd)"
+kpRoot="${kpBuild}/.."
+
+# Mono's resource compiler/linker doesn't support ICO files
+# containing high resolution images (in PNG format)
+kpIco="${kpRoot}/Ext/Icons_15_VA/LowResIcons/KeePass_LR.ico"
+kpIcoG="${kpRoot}/Ext/Icons_15_VA/LowResIcons/KeePass_LR_G.ico"
+kpIcoR="${kpRoot}/Ext/Icons_15_VA/LowResIcons/KeePass_LR_R.ico"
+kpIcoY="${kpRoot}/Ext/Icons_15_VA/LowResIcons/KeePass_LR_Y.ico"
+
+fnPrepSolution()
+{
+ cd "${kpRoot}"
+ local kpSln="KeePass.sln"
+
+ # Update solution format to 11 (this targets Mono 4 rather than 3.5)
+ sed -i 's!Format Version 10\.00!Format Version 11\.00!g' "${kpSln}"
+}
+
+fnPrepKeePass()
+{
+ cd "${kpRoot}/KeePass"
+ local kpCsProj="KeePass.csproj"
+
+ sed -i 's! ToolsVersion="3\.5"!!g' "${kpCsProj}"
+ sed -i 's!true!false!g' "${kpCsProj}"
+ sed -i '/sgen\.exe/d' "${kpCsProj}"
+
+ cp -f "${kpIco}" KeePass.ico
+ cp -f "${kpIco}" Resources/Icons/KeePass.ico
+ cp -f "${kpIcoG}" Resources/Icons/KeePass_G.ico
+ cp -f "${kpIcoR}" Resources/Icons/KeePass_R.ico
+ cp -f "${kpIcoY}" Resources/Icons/KeePass_Y.ico
+}
+
+fnPrepKeePassLib()
+{
+ cd "${kpRoot}/KeePassLib"
+ local kpCsProj="KeePassLib.csproj"
+ local kpXmlUtilEx="Utility/XmlUtilEx.cs"
+
+ sed -i 's! ToolsVersion="3\.5"!!g' "${kpCsProj}"
+ sed -i 's!true!false!g' "${kpCsProj}"
+
+ sed -i -E 's!(xrs\.ProhibitDtd = true;)!// \1!g' "${kpXmlUtilEx}"
+ sed -i -E 's!// (xrs\.DtdProcessing = DtdProcessing\.Prohibit;)!\1!g' "${kpXmlUtilEx}"
+}
+
+fnPrepTrlUtil()
+{
+ cd "${kpRoot}/Translation/TrlUtil"
+ local kpCsProj="TrlUtil.csproj"
+
+ sed -i 's! ToolsVersion="3\.5"!!g' "${kpCsProj}"
+
+ cp -f "${kpIco}" Resources/KeePass.ico
+}
+
+fnPrepSolution
+fnPrepKeePass
+fnPrepKeePassLib
+fnPrepTrlUtil
+
+cd "${kpBuild}"
diff --git a/src/Docs/Chm/KeePass.hhp b/src/Docs/Chm/KeePass.hhp
new file mode 100644
index 0000000..7f9e08a
--- /dev/null
+++ b/src/Docs/Chm/KeePass.hhp
@@ -0,0 +1,61 @@
+[OPTIONS]
+Compatibility=1.1 or later
+Compiled file=KeePass.chm
+Contents file=KeePassContents.hhc
+Default topic=help\base\index.html
+Display compile progress=No
+Full-text search=Yes
+Language=0x409 Englisch (USA)
+Title=KeePass Help
+
+
+[FILES]
+help\index.html
+help\base\autotype.html
+help\base\autourl.html
+help\base\cmdline.html
+help\base\configuration.html
+help\base\credits.html
+help\base\faq.html
+help\base\faq_tech.html
+help\base\fieldrefs.html
+help\base\firststeps.html
+help\base\importexport.html
+help\base\index.html
+help\base\integration.html
+help\base\keys.html
+help\base\license_lgpl.html
+help\base\multiuser.html
+help\base\placeholders.html
+help\base\pwgenerator.html
+help\base\repair.html
+help\base\search.html
+help\base\secedits.html
+help\base\security.html
+help\base\tans.html
+help\base\terms.html
+help\base\usingpws.html
+help\v2\autotype_obfuscation.html
+help\v2\dbsettings.html
+help\v2\entry.html
+help\v2\guioptions.html
+help\v2\index.html
+help\v2\ioconnect.html
+help\v2\license.html
+help\v2\plugins.html
+help\v2\policy.html
+help\v2\setup.html
+help\v2\sync.html
+help\v2\translation.html
+help\v2\triggers.html
+help\v2\version.html
+help\v2\xml_replace.html
+help\v2_dev\customize.html
+help\v2_dev\plg_index.html
+help\v2_dev\scr_index.html
+help\v2_dev\scr_kps_index.html
+help\v2_dev\scr_sc_index.html
+images\back.gif
+
+[INFOTYPES]
+
diff --git a/src/Docs/Chm/KeePassContents.hhc b/src/Docs/Chm/KeePassContents.hhc
new file mode 100644
index 0000000..8601085
--- /dev/null
+++ b/src/Docs/Chm/KeePassContents.hhc
@@ -0,0 +1,198 @@
+
+
+
+
+
+
+
+
KeePass features an "Auto-Type" functionality. This feature allows you to define
+a sequence of keypresses, which KeePass can automatically perform for you. The
+simulated keypresses can be sent to any other currently open window of your choice (browser windows,
+login dialogs, ...).
+
+
By default, the sent keystroke sequence is {USERNAME}{TAB}{PASSWORD}{ENTER},
+i.e. it first types the user name of the selected entry, then presses the Tab key,
+then types the password of the entry and finally presses the Enter key.
+
+
For TAN entries, the default sequence is {PASSWORD},
+i.e. it just types the TAN into the target window, without pressing Enter.
+
+
+
+
+
+
+Auto-Type can be configured individually for each entry using the
+Auto-Type tab page on the entry dialog (select an entry → Edit Entry).
+On this page you can specify a default sequence and customize specific
+window/sequence associations.
+
+Two-Channel Auto-Type Obfuscation is supported (making
+Auto-Type resistant against keyloggers).
+
+
+
Additionally, you can create customized window/sequence associations, which override the
+default sequence. You can specify different keystroke sequences for different windows for each entry.
+For example, imagine a webpage, to which you want to login, that has multiple
+pages where one can login. These pages could all look a bit different (on one
+you could additionally need to check some checkbox – like often seen in forums).
+Here creating customized window/sequence associations solves the problems: you simply
+specify different auto-type sequences for each windows (identified by their window
+titles).
+
+
Invoking Auto-Type:
+There are three different methods to invoke auto-type:
+
+
+
Invoke auto-type for an entry by using the
+context menu command Perform Auto-Type while the entry is selected.
+
Select the entry and press Ctrl+V
+(that's the menu shortcut for the context menu command above).
+
Using the system-wide auto-type hot key. KeePass will
+search all entries in the currently opened database for matching sequences.
+
+
+
All methods are explained in detail below.
+
+
Input Focus:
+Note that auto-type starts typing into the control of the target window
+that has the input focus. Thus, for example for the default
+sequence you have to ensure that the input focus is set to the
+user name control of the target window before invoking auto-type using any of
+the above methods.
+
+
+
+
+
+Requirements and Limitations
+
+
Rights:
+For auto-type to work, KeePass must be running with the same or higher
+rights as the target application. Especially, if the target application
+is running with administrative rights, KeePass must be running with
+administrative rights, too. For details, see
+
+Windows Integrity Mechanism Design.
+An example are certain instances of VMware Workstation that run on
+a higher integrity level.
+
+
Remote Desktops and Virtual Machines:
+KeePass does not know the keyboard layout that has been selected in
+a remote desktop or virtual machine window.
+If you want to auto-type into such a window, you must ensure
+that the local and the remote/virtual system are using the same
+keyboard layout.
+
+
When performing auto-type into a remote desktop or virtual machine
+window, the following characters may be problematic (depending on the
+exact circumstances) and should therefore be avoided, if possible:
+" (U+0022),
+' (U+0027),
+^ (U+005E),
+` (U+0060),
+~ (U+007E),
+¨ (U+00A8),
+¯ (U+00AF),
+° (U+00B0),
+´ (U+00B4),
+¸ (U+00B8),
+spacing modifier letters (U+02B0 to U+02FF),
+and characters that cannot be realized with a direct key combination.
+
+
Wayland:
+On a Unix-like system with a Wayland compositor, there may be further
+limitations; see the Auto-Type on Wayland page.
+
+
+
+
+
+Context Menu: 'Perform Auto-Type' Command
+
+
This method is the one that requires the least amount of configuration and is
+the simpler one, but it has the disadvantage that you need to select the entry
+in KeePass which you want to auto-type.
+
+
The method is simple: right-click on an entry of your currently opened database
+and click 'Perform Auto-Type' (or alternatively press the
+Ctrl+V
+shortcut for this command). The window that previously got the focus
+(i.e. the one in which you worked before switching to KeePass) will be brought
+to the foreground and KeePass auto-types into this window.
+
+
The sequence which is auto-typed depends on the window's title. If you didn't
+specify any custom window/sequence associations, the default sequence is sent. If
+you created associations, KeePass uses the sequence of the first matching
+association. If none of the associations match, the default sequence is used.
+
+
+
+
+
+Global Auto-Type Hot Key
+
+
This is the more powerful method, but it also requires a little bit more
+work/knowledge, before it can be used.
+
+
Simple Global Auto-Type Example:
+
+
+
Create an entry in KeePass titled Notepad with values for user name and password.
+
Start Notepad (under 'Programs' → 'Accessories').
+
Press Ctrl+Alt+A within Notepad.
+The user name and password will be typed into Notepad.
+
+
+
The KeePass entry title Notepad is matched with the window title of
+Notepad and the default Auto-Type sequence is typed.
+
+
How It Works - Details:
+
+
KeePass registers a system-wide hot key for auto-type. The advantage of
+this hot key is that you don't need to switch to the KeePass window and
+select the entry. You simply press the hot key while having the target window
+open (i.e. the window which will receive the simulated keypresses).
+
+
By default, the global hot key is
+Ctrl+Alt+A
+(i.e. hold the Ctrl and Alt keys,
+press A and release all keys).
+You can change this hot key in the options dialog
+(main menu 'Tools' → 'Options' → tab
+
+
+
+'Integration'):
+
+here, click into the global auto-type hot key textbox and press the hot key
+that you wish to use. If the hot key is usable, it will appear in the textbox.
+
+
When you press the hot key, KeePass looks at the title of the currently opened window and
+searches the currently opened database for usable entries. If KeePass finds multiple
+entries that can be used, it displays a selection dialog.
+An entry is considered to be usable for the current window title when
+at least one of the following conditions is fulfilled:
+
+
+
The title of the entry is a substring of the currently active window title.
+
The entry has a window/sequence association, of which the window specifier matches
+the currently active window title.
+
+
+
The second condition has been mentioned already, but the first one
+is new. By using entry titles as filters for window titles, the configuration amount
+for auto-type is almost zero: you only need to make sure that the entry title
+is contained in the window title of the window into which you want the entry to be
+auto-typed. Of course, this is not always possible (for example, if a webpage has a
+very generic title like "Welcome"), here you need to
+use custom window/sequence associations.
+
+
+
+
+
+
+Custom window/sequence associations can be specified on the 'Auto-Type' tab
+page of each entry.
+
+The associations complement the KeePass entry title.
+Any associations specified will be used in addition to the KeePass entry
+title to determine a match.
+
+
+
An auto-type keystroke sequence is a one-line string that can contain
+placeholders and special key codes.
+
+
A complete list of all supported placeholders can be found on the page
+Placeholders. The special key codes can
+be found below.
+
+
Above you've seen already that the
+default auto-type is {USERNAME}{TAB}{PASSWORD}{ENTER}. Here,
+{USERNAME} and {PASSWORD} are placeholders: when auto-type
+is performed, these are replaced by the appropriate field values of the entry.
+{TAB} and {ENTER} are special key codes: these are replaced
+by the appropriate keypresses. Special key codes are the only way to specify special
+keys like Arrow-Down, Shift, Escape, etc.
+
+
Of course, keystroke sequences can also contain simple characters to be sent.
+For example, the following string is perfectly valid as keystroke sequence string:
+{USERNAME}{TAB}Some text to be sent!{ENTER}.
+
+
+
+
+
+
+{VKEY XF}:
+This command sends the
+virtual key of value X.
+The parameter F is optional and may be a combination of the following
+values:
+
D:
+Press and hold down the key (without releasing it).
+
U:
+Release the key (without pressing it).
+
+
+
The values E and N are mutually exclusive.
+It is recommended to specify neither E nor N,
+if possible; KeePass then determines automatically whether the virtual key
+is typically realized using an extended key.
+
+
The values D and U are mutually exclusive.
+If neither D nor U is specified, KeePass
+sends a keypress (i.e. down and up).
+
+
On Linux systems, KeePass automatically converts most Windows virtual key codes
+to Linux key codes (i.e. the {VKEY ...} command works on both
+systems).
+
+Examples:
+
+
{VKEY 13}
+Presses and releases the primary Enter key.
+This is equivalent to {ENTER}.
+
{VKEY 13 E}
+Presses and releases the Enter key of the
+numeric keypad.
+
{VKEY 91 D}e{VKEY 91 U}
+Sends Win+E
+(i.e. it presses and holds down the left Win
+key, presses and releases the E key, and
+releases the Win key),
+which starts Windows Explorer (on Windows).
+This is not equivalent to {LWIN}e
+(which first presses and releases the left Win key
+and then presses and releases the E key).
+Note that Windows Explorer can also be started using
+{CMD:/Explorer.exe/W=0/}
+(the {CMD:/.../}
+placeholder can run arbitrary command lines).
+
+
+Do not use the {VKEY ...} command to change the state of the
+Shift, Ctrl and
+Alt modifiers. For this, use +,
+^ and % instead (see above).
+
+
+
+
+
+Keys and special keys (not placeholders or commands) can be repeated by
+appending a number within the code. For example, {TAB 5}
+presses the Tab key 5 times.
+
+
+
Examples:
+
+
{TITLE}{TAB}{USERNAME}{TAB}{PASSWORD}{ENTER}
+Types the entry's title, a Tab, the user name,
+a Tab, the password of the
+currently selected entry, and presses Enter.
+
+
{TAB}{PASSWORD}{ENTER}
+Presses the Tab key, enters the entry's password and
+presses Enter.
+
+
{USERNAME}{TAB}^v{ENTER}
+Types the user name, presses Tab, presses
+Ctrl+V (which pastes data from the Windows
+clipboard in most applications), and presses Enter.
+
+
Toggling Checkboxes:
+A checkbox (e.g. "Stay logged in on this computer") can
+usually be toggled by sending a space character (' ').
+Example:
+{USERNAME}{TAB}{PASSWORD}{TAB} {TAB}{ENTER}
+If there is a form with a user name field, a password field and a checkbox,
+this sequence would enter the user name, the password and toggle the checkbox
+that follows the password control.
+
+
Pressing Non-Default Buttons:
+Pressing non-default buttons works the same as toggling checkboxes: send
+a space character (' ').
+Note that this should only be used for non-default buttons; for
+default buttons, {ENTER} should be sent instead.
When creating a custom window/sequence association, you need to tell
+KeePass how the matching window titles look like. Here, KeePass supports
+simple wildcards:
+
+
+
+
String with Wildcard
Meaning
+
STRING
Matches all window titles that are named exactly "STRING".
+
STRING*
Matches all window titles that start with "STRING".
+
*STRING
Matches all window titles that end with "STRING".
+
*STRING*
Matches all window titles that have "STRING" somewhere in the window title. This includes the string being directly at the start or at the end of the window title.
+
+
+
+
+
+
+
+
+
+Wildcards may also appear in the middle of patterns.
+For example, *Windows*Explorer* would match
+Windows Internet Explorer.
+
+Additionally, matching using
+
+regular expressions is supported. In order to
+tell KeePass that the pattern is a regular expression, enclose it in
+//. For example, //B.?g Window// would
+match Big Window, Bug Window and Bg Window.
+
+
+
By using wildcards, you can make your auto-type associations browser-independent.
+See the usage examples for more information.
+
+
+
+
+
+Change Default Auto-Type Sequence
+
+
The default auto-type sequence (i.e. the one which is used when you don't specify
+a custom one) is {USERNAME}{TAB}{PASSWORD}{ENTER}. KeePass allows you
+to change this default sequence. Normally you won't need to change it (use
+custom window/sequence definitions instead!), but it is quite useful when some
+other application is interfering with KeePass (for example a security software that
+always asks you for permission before allowing KeePass to auto-type).
+
+
+
+
+
+
+By default, entries inherit the auto-type sequence of their containing group.
+Groups also inherit the auto-type sequence of their parent groups. There is
+only one top group (the first group contains all other groups). Consequently, if
+you change the auto-type sequence of this very first group, all other groups
+and their entries will use this sequence. Practically, this is a global override.
+To change it, right-click on the first group, choose 'Edit Group' and switch
+to the 'Auto-Type' tab.
+
+
+
+
+
+
+
+Usage Example
+
+
Now let's have a look at a real-world example: logging into a website. In this example,
+will we use the global auto-type hot key to fill out the login webpage.
+First open the test page, and afterwards create a new entry
+in KeePass with title Test Form and a user name and password
+of your choice.
+
+
Let's assume the global auto-type hot key is set to
+Ctrl+Alt+A (the default).
+KeePass is running in the background, you have opened your database and the workspace is unlocked.
+
+
When you now navigate to the test page and are being prompted for your user name and password,
+just click into the user name field and press
+Ctrl+Alt+A.
+KeePass enters the user name and password for you!
+
+
Why did this work? The window title of your browser window was
+"Test Form - KeePass - Internet Explorer" or
+"Test Form - KeePass - Mozilla Firefox", depending on the browser
+you are using. Because we gave the entry in KeePass the title Test Form, the
+entry title is contained in the window title, therefore KeePass uses this entry.
+
+
Here you see the huge advantages of auto-type: it not only doesn't require
+any additional browser software
+(the browser knows nothing of KeePass – there are no helper browser plugins required),
+it is also browser-independent: the one entry that you created within KeePass works
+for Internet Explorer and Mozilla Firefox (and other browsers) without
+requiring any modifications or definitions.
+
+
When you would use window/sequence associations
+(instead of entry title matching), you can achieve the same
+browser-independent effect using wildcards: you could for example have used
+Test Form - KeePass - * as window filter. This filter matches both
+the Internet Explorer and the Firefox window.
The URL field can execute any valid URL for which a protocol handler is defined.
+On most systems at least the http://, https://,
+ftp:// and mailto: protocols are defined.
+KeePass supports all protocols that Windows supports.
+
+
For example, if you globally (i.e. using the Windows Explorer) register PuTTY for ssh:// URLs,
+KeePass will automatically use PuTTY for ssh:// URLs, too.
+
+
+
+
+
+Executing Command Lines
+
+
Instead of a URL, you can also execute command lines using the URL field.
+To tell KeePass that the line you entered
+is a command line, prefix it using cmd://. For example if you would like to execute
+Notepad, your URL could look like this:
The virtual cmd:// protocol also supports parameters for executable
+files, in contrast to
+the file:// protocol. This was the main reason why cmd://
+was introduced; with file:// you
+aren't able to pass any parameters to started applications. Use the cmd://
+protocol instead.
+
+
The paths for the cmd:// protocol don't need to be encoded. For example,
+you do not have to replace space characters by %20, as it is normally
+required for other URLs. KeePass just cuts away the cmd:// virtual
+protocol prefix and passes the remaining command line to the system.
+
+
If the file path contains spaces, you must enclose it in quotes (").
+
+
Environment Variables:
+System environment variables are supported.
+The name of the variable must be enclosed in '%' characters.
+For example %TEMP% is replaced by the user's temporary path.
+
+
UNC Paths:
+Windows-style UNC paths (starting with \\) are directly
+supported, i.e. do not need to be prefixed with cmd://.
+
+
Double Quotes (") and Backslashes (\):
+There are multiple rule sets for parsing command lines
+(SHELLEXECUTEINFOW structure,
+CommandLineToArgvW function,
+
+Microsoft C/C++ startup code, etc.).
+These rule sets are contradictory; command lines are interpreted differently.
+For example, in the SHELLEXECUTEINFOW structure documentation,
+backslashes have no special meaning, whereas the
+CommandLineToArgvW function sometimes interprets a backslash
+as an escape character.
+Another example: A"""B C"""D is
+interpreted as one argument (namely A"B C"D)
+by the Microsoft C/C++ startup code, whereas the CommandLineToArgvW
+function returns two arguments
+(namely A"B and C"D).
+KeePass cannot know how the executed application will interpret its
+command line, and there is no command line encoding that is
+interpreted as intended by all applications.
+Therefore, we recommend:
+
+
Use double quotes (") only to indicate the start and the end of
+the file path or of an argument. Do not use a quote in data that
+requires encoding. For example, if your command line contains a
+{PASSWORD}placeholder,
+the password should not contain a quote.
+
Use a backslash only when the next character is not a quote,
+i.e. avoid \".
+Especially, avoid data ending with a backslash if a quote follows on
+the command line. For example, if the command line contains an
+argument like -pw:"{PASSWORD}", the password should
+not end with a backslash, because otherwise the placeholder replacement
+results in the problematic \" sequence.
+
+
+
Unix-like Systems:
+On Unix-like systems, KeePass assumes that double quotes (")
+and backslashes (\) must be encoded.
+Furthermore, KeePass assumes that single quotes (')
+only occur in contexts where they must not be encoded (e.g. within
+double quotes). So, if any of your arguments may contain a single quote,
+you have to ensure that it occurs within such a context.
+On Windows, this is irrelevant, as single quotes do not have a special meaning here.
+
+
+
+
+
+Placeholders
+
+
In the URL field, you can use several placeholders that will get automatically replaced
+when the URL is executed. For example:
For this entry, KeePass will replace {USERNAME} by the data of the username field and {PASSWORD}
+by the data in the password field when you execute the link.
+
+
For a complete list of supported placeholders, see the page
+Placeholders.
+
+
Also note that the special placeholders are supported, too. For example,
+the {APPDIR} placeholder is replaced by the application
+directory path of the currently running KeePass instance. It's the absolute path of the
+directory containing the KeePass executable, without a trailing backslash.
+If you would like to start a new KeePass instance, you could set the URL to:
+
+
cmd://"{APPDIR}\KeePass.exe"
+
+
To use different browsers for entries, you can use URLs like the following:
+cmd://{INTERNETEXPLORER} "https://www.example.com/"
+cmd://{FIREFOX} "https://www.example.com/"
+cmd://{OPERA} "https://www.example.com/"
+cmd://{GOOGLECHROME} "https://www.example.com/"
+cmd://{SAFARI} "https://www.example.com/"
+The browser placeholder will be replaced by the browser's executable path (if the
+browser is installed).
+
+
+
+
+
+Changing the URL Handler (URL Override)
+
+
+
+
+
+
+
+
+
The URL field behavior can be overridden individually for each entry
+using the field 'Override URL' (tab 'Properties' in the entry dialog).
+This allows you to execute a specific URL, while still using the URL
+field to (only) store data.
+When double-clicking the URL field of the entry in the main window, the
+specified command line (in the URL override field) will be run.
+
+
Using a different browser:
+If your default browser is Firefox and you want to open a specific site with
+Internet Explorer, specify the following in the URL override field:
+
+
cmd://{INTERNETEXPLORER} "{URL}"
+
+
KeePass will open Internet Explorer and pass the data from the URL field
+as the parameter. This uses a placeholder to find Internet
+Explorer.
+
+
Globally changing the URL behavior:
+If you want to change the default URL action for a URL scheme
+(e.g. http://, https:// or ftp://),
+you can define a URL scheme override
+in 'Tools' → 'Options' → tab 'Integration' → 'URL Overrides'.
+This for example allows to specify a browser as default for websites
+(in the dialog you can find several overrides for browsers like Internet Explorer,
+Mozilla Firefox, Opera and Google Chrome).
+
+
URL scheme overrides can also be used to define new protocols. For example,
+if you want to define a protocol kdbx:// that opens another KeePass database,
+specify the following as override for the kdbx scheme (on Windows):
+cmd://"{APPDIR}\KeePass.exe" "{BASE:RMVSCM}" -pw-enc:"{PASSWORD_ENC}"
+or on Unix-like systems (Mono):
+cmd://mono "{APPDIR}/KeePass.exe" "{BASE:RMVSCM}" -pw-enc:"{PASSWORD_ENC}"
+If an entry now has a URL looking like kdbx://PathToYourDatabase.kdbx
+and the master password for this database in the password field,
+double-clicking the URL of the entry in the main window opens the other database.
+The -pw-enccommand line parameter and
+the {PASSWORD_ENC} placeholder
+allow passing the master password of the other database in encrypted form,
+i.e. process monitors and similar utilities aren't be able to read the master password.
+
+
+
+
+
+
+Starting RDP/TS Sessions
+
+
You can use the URL field of entries and the virtual cmd://
+protocol to start remote desktop connections.
+
+
For this, enter the following in the URL field of an entry:
+
+
cmd://mstsc.exe
+
+
When you now double-click the URL field of the entry in the main window, a
+Windows remote desktop connection is initiated.
+
+
MSTSC is the Windows terminal server connection program (remote desktop connection).
+You can pass a path to an existing RDP file to the program to open it. For example,
+the following URL opens the specified RDP file:
+
+
cmd://mstsc.exe "C:\My Files\Connection.rdp"
+
+
MSTSC also supports several command line options:
+
+
+
/v:<Server[:Port]> Defines the terminal server to connect to.
+
/console Connects to the terminal session of the server.
+
/f Starts the client in full screen mode.
+
/w:<Width> Defines the width of the remote desktop screen.
+
/h:<Height> Defines the height of the remote desktop screen.
+
/edit Opens the specified RDP file for editing.
+
/migrate Migrates old connection files to new RDP files.
+
+
+
+
+
+
+Executing Built-In Shell Commands
+
+
The URL field can be used to start applications/documents and URLs.
+If you want to execute a built-in shell command, like COPY for
+example, this however doesn't work directly, because there is no COPY.EXE
+(in Windows 9x times there actually was one, but on all modern Windows operating
+systems these commands are built-in to the command line window).
+
+
In order to execute built-in shell commands, you need to pass them to the
+command line interpreter cmd.exe.
+
+
For the COPY command you would specify cmd.exe
+as executable file and /C COPY from to as arguments (where
+'from' and 'to' are paths). The /C
+parameter tells cmd.exe to execute the command line that
+follows.
+
+
In the URL field, your URL would look like the following:
+cmd://cmd.exe /C COPY from to
+In other locations, like command lines in the trigger system,
+you can leave out the cmd:// URL prefix.
You can pass a file path in the command line in order to tell KeePass to open
+this file immediately after startup.
+
+
Switches can be either prefixed using
+a minus (-) or two minus characters (--).
+On Windows, a slash (/) is another alternative.
+The prefixes are equivalent; it doesn't matter which one you use.
+
+
Database file.
+The database file location is passed as argument. Only one database file is allowed.
+If the path contains a space, it must be enclosed in quotes (").
+
+
Password.
+Passwords can be passed using the -pw: option. In order to
+pass 'abc' as password, you would add the following argument to the command line:
+-pw:abc. Note that there must be no space between the ':' and the
+password. If your password contains a space, you must enclose it in quotes. For
+example: -pw:"my secret password".
+
+
Using the -pw: option is not recommended, due to
+security reasons (the operating system allows reading the command line
+options of other applications).
+
+
When passing the -pw-stdin option, KeePass
+reads the password from the StdIn stream.
+This option is intended for programmatically passing the password to KeePass.
+For entering the password by hand, it is recommended to use the
+normal master key dialog instead (because in this dialog the password
+is hidden by bullets/asterisks and it is encrypted by the process memory
+protection).
+
+
Key file.
+For supplying the key file location, the -keyfile: switch
+exists. The same rules as above apply, just that you specify the key file location:
+-keyfile:D:\pwsafe.key. You also need to quote the value, if it contains
+a space, tab or other whitespace characters.
+
+
Preselection.
+In order to just preselect a key file, use the -preselect: option.
+For example, if you lock your database with a password and a key file, but
+just want to type in the password (so, without selecting the key file manually),
+your command line would look like this:
KeePass would then show a prompt for the password for the database, but in
+the key file list, the C:\pwsafe.key file is selected already. When using the
+-preselect: switch, KeePass by default activates the key file switch and
+sets the focus to the password edit window.
+
+
Note the difference! The -preselect: switch just preselects the key file
+for you and displays the login prompt. In contrast, the -keyfile: switch
+doesn't prompt you for the (maybe missing) password.
+
+
Other.
+The -minimize command line option makes KeePass start up minimized.
+This option may not work when KeePass runs on Mono (due to a bug in Mono).
+
+
The -auto-type command line option makes other already opened
+KeePass instances perform a global auto-type.
+
+
+
+
+
+
+Additionally, the -useraccount switch is supported. If specified, the
+current user account credentials will be used.
+
+The -iocredfromrecent switch makes KeePass load file
+system credentials (not database key) from the most recently used files list.
+Alternatively, the file system credentials can be specified using the
+-iousername: and -iopassword: parameters.
+The optional -ioiscomplete switch
+tells KeePass that the path and file system credentials are complete
+(the 'Open URL' dialog will not be displayed then).
+
+The -pw-enc: parameter is similar to -pw:, but
+it requires the password to be encrypted. Encrypted passwords can be
+generated using the {PASSWORD_ENC}
+placeholder.
+
+The -entry-url-open option makes other already opened KeePass instances
+search for an entry and open its URL. The entry is identified by its UUID,
+which you can pass as -uuid: command line parameter.
+
+The -auto-type-password option is similar to -auto-type,
+but auto-types only the password of a matching entry.
+-auto-type-selected performs auto-type for the currently selected entry.
+
+The -cancel option causes all other KeePass instances to
+cancel opening/saving a database file.
+
+The path of the local configuration file can be changed
+using the -cfg-local: command line parameter.
+
+
+
The order of the arguments is arbitrary.
+
+
+
+
+Usage Examples
+
+
Open the database file 'C:\My Documents\MyDatabase.kdbx' (KeePass will prompt you
+for the password and/or key file location):
+
+
KeePass.exe "C:\My Documents\MyDatabase.kdbx"
+
+
If you got a database that is locked with a password 'abc', you could open it like this:
If your USB stick always mounts to drive F: and you've locked your database with a key file
+on the USB stick, you could open your database as follows:
You have locked your database using a password and a key file, but only
+want to have the key file preselected (i.e. you want to get prompted for the
+password), your command line would look like this:
Batch files can be used to start KeePass. Mostly you want to
+specify some of the parameters listed above. You can theoretically
+simply put the command line (i.e. application path and parameters)
+into the batch file, but this is not recommended as the command
+window will stay open until KeePass is closed. The following
+method is recommended instead:
+
+
START "" KeePass.exe ..\MyDb.kdbx -pw:MySecretPw
+
+
This START command will run KeePass (which opens the
+..\MyDb.kdbx file using
+MySecretPw as password). KeePass is assumed to be in the same
+directory (working directory) as the batch file, otherwise you need to
+specify a different path.
+
+
START executes the given command line and immediately exits,
+i.e. it doesn't wait until the application is terminated. Consequently,
+the command window will disappear after KeePass has been started.
+
+
Please note the two quotes (") after the
+START command. These quotes
+are required if the application path contains quotes (in the example
+above, the quotes could also be removed).
+If you want to learn more about the START command syntax, type
+START /? into the command window.
+
+
+
+
+Closing/Locking KeePass using a Batch File
+
+
To close all currently running KeePass instances, call
+KeePass.exe with the '--exit-all' parameter:
+
+
KeePass.exe --exit-all
+
+
All KeePass windows will attempt to close. If a database has been modified,
+KeePass will ask you whether you want to save or not. If you wish to save in
+any case (i.e. a forced exit without any confirmation dialog), enable the
+'Automatically save database on exit and workspace locking' option
+in 'Tools' → 'Options' → tab 'Advanced'.
+
+
The KeePass instance that has been created by the command above is not visible (i.e.
+it does not show a main window) and will immediately terminate after sending close
+requests to the other instances.
+
+
The --lock-all and
+--unlock-all command line options lock/unlock the workspaces
+of all other KeePass instances.
Details about how and where KeePass stores its configuration.
+
+
+
KeePass supports multiple locations for storing configuration information:
+the global configuration file in the KeePass application directory,
+a local user-dependent one in the user's private configuration folder, and
+an enforced configuration file in the KeePass application directory.
+The first one is called global,
+because everyone using this KeePass installation will
+write to the same configuration file (and possibly overwriting settings of other
+users). The second one is called local, because changes made to this configuration
+file only affect the current user.
+
+
+
+
+
+
+Configuration files are stored in XML format.
On Linux systems, the local configuration file is typically stored in
+'$XDG_CONFIG_HOME/KeePass' (which often is '~/.config/KeePass',
+where '~' is the user's home directory).
+
+
+
+
+
+Installation by Administrator, Usage by User
+
+
If you use the KeePass installer and install the program with administrator rights,
+the program directory will be write-protected when working
+as a normal/limited user. KeePass will use local configuration files, i.e. save and load
+the configuration from a file in your user directory.
+
+
Multiple users can use the locally installed KeePass. Configuration settings
+will not be shared and can be configured individually by each user.
+
+
+
+
+
+Portable Version
+
+
If you downloaded the portable version of KeePass (ZIP package), KeePass will
+try to store its configuration in the application directory. No configuration
+settings will be stored in the user directory (if the global configuration file is
+writable).
+
+
+
+
+
+Create Portable Version of Installed KeePass
+
+
If you are currently using a locally installed version of KeePass
+(installed by the KeePass installer) and want to create a portable version of it,
+first copy all files of KeePass to the portable device. Then get the configuration file
+from your user directory (application data, see above) and copy it
+over the configuration file on the portable device.
This section explains in detail how loading and saving the configuration works.
+
+
When KeePass starts up and finds both global and local configuration files, it must
+decide the order in which KeePass tries to get the configuration items.
+This is controlled by the
+(Kee)PreferUserConfiguration flag in the global configuration
+file. If it is not present, it defaults to false.
+
+
The flag is set to true in the global configuration file of the
+KeePass installer package. The portable ZIP package does not contain a configuration file,
+consequently the flag defaults to false.
+
+
+
+
+
+
+Loading:
+
+
Try to get the configuration item from the enforced configuration file.
+If found, use this one.
+
If the PreferUserConfiguration flag is true, use the item from
+the local configuration file, otherwise use the item from the global one.
+If the chosen configuration file does not contain the item, use the default value.
+
+
+Saving:
+
+
If the PreferUserConfiguration flag is true, try to store
+all configuration items into the local configuration file.
+If this fails, report the error and try to store them into the global configuration file.
+If this fails, report the error.
+
If the PreferUserConfiguration flag is false, try to store
+all configuration items into the global configuration file.
+If this fails, report the error and try to store them into the local configuration file.
+If this fails, report the error.
+
+
+The path of the local configuration file can be changed
+using the '-cfg-local:' command line parameter.
+
+
+
+
+
+
diff --git a/src/Docs/Chm/help/base/credits.html b/src/Docs/Chm/help/base/credits.html
new file mode 100644
index 0000000..e854936
--- /dev/null
+++ b/src/Docs/Chm/help/base/credits.html
@@ -0,0 +1,887 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Acknowledgements / Credits - KeePass
+
+
+
+
+
+
+
+
+
+
+
+
+
Acknowledgements / Credits
+
Thanks to various people for contributions and/or work.
+
+
+
At this place I want to thank a lot of people very much for their help,
+source code, suggestions and other contributions (in no particular order).
Developing high-quality applications takes much time and resources.
+Donations make it possible to keep up the current development standard.
+Therefore, many thanks to all who donated to the project.
+
+
More information about donations and a list of people who donated
+can be found here:
+KeePass
+Donations.
+
+
+
+
+
+Source Code Acknowledgements
+
+
KeePass uses some classes and libraries written by different
+people and given away for free. Here I want to thank them for writing
+these classes and libraries.
+
+
+
+
Author
Class / Library
+
+
Szymon Stefanek
+
C++ implementation
+of the AES/Rijndael encryption algorithm.
+
+
Niels Ferguson
+
C implementation of the Twofish encryption algorithm.
+
+
Brian Gladman
+
+
+
C implementation
+of the SHA-2 (256/384/512) hashing algorithms.
+
+
Alvaro Mendez
+
MFC class for validating edit controls (CAMSEdit).
Many thanks to Christopher Bolin for creating the main KeePass icon
+(see top left on this page) and its
+variations.
+Many thanks to Victor Andreyenkov for refining the application icons.
+
+
Many thanks to David Vignoni for creating the nice 'Nuvola' icon theme.
+Most of the icons used in KeePass and on its website are icons of this theme. You can find the
+original images on the website
+of the author, and the license below.
+
+
Furthermore, thanks to the authors of the following icons that KeePass uses:
Many thanks to all people who created translations for KeePass.
+
+
+
+
+
+Plugin Acknowledgements
+
+
Many thanks to all people who wrote plugins for KeePass. Without you, KeePass
+would be a lot less powerful and useful!
+
+
+
+
+
+Tools Acknowledgements
+
+
+
+
Thanks to Jordan Russell for creating Inno Setup. This
+tool is used to create the KeePass installation program.
+
+
+
Thanks to Dimitri van Heesch for the Doxygen utility, which is used to compile the source
+code documentation.
+
+
+
+
+
+Hosting/Distribution Acknowledgements
+
+
+
+
+
+
+
+
+
+
+
+Thanks to SourceForge
+for hosting the KeePass downloads / translations / plugins and for providing the
+project support platform (forums, feature requests / bug trackers, ...) for free.
+
+
+
+
+
+Thanks to domain)FACTORY
+for hosting the KeePass website.
+
+
+
+
+
+Thanks to datensysteme-lenk
+for hosting the German KeePass support forum in the past.
+
+
+
+
+
+
+
+Suggestions and Forum Support Acknowledgements
+
+
Thanks to all the people answering questions of others in the KeePass
+forums! A product is only as good as its support is, and I alone could
+never provide such an excellent individual help platform.
+
+
A few persons should be mentioned here, because of an extraordinary amount
+of suggestions (features, bug reports, ...) and helping others in the forums:
+Paul Tannard, Wellread1 and Michael Scheer.
+
+
+
+
+
+Special Acknowledgements
+
+
Thanks to Daniel Turini for suggesting "KeePass"
+as the name of the project.
+
+
An especially big thanks to Bill Rubin. He not only contributed a lot of
+source code to KeePass, he also had an enormous amount of feature and improvement suggestions,
+helped people in the KeePass forums, and wrote a KeePass plugin for backing up
+databases. He's also the reason why many of the sections in the KeePass Help
+are very precise, helpful, clear and easy to understand.
+In our countless hours long IM chats, we not only discussed much about the design
+of KeePass, Bill also told me a lot about C++ and other stuff. Thanks!
+
+
+
+
+
+Licenses of Components/Resources/etc.
+
+
+
Nuvola Icon Theme
+
+
Usage of the icons is allowed under the terms of the LGPL license (which you can find
+here: GNU Lesser General Public License), plus
+an addition.
+
+
TITLE: NUVOLA ICON THEME for KDE 3.x
+AUTHOR: David Vignoni | ICON KING
+SITE: http://www.icon-king.com
+MAILING LIST: http://mail.icon-king.com/mailman/listinfo/nuvola_icon-king.com
+
+Copyright (c) 2003-2004 David Vignoni.
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation,
+version 2.1 of the License.
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+Lesser General Public License for more details.
+You should have received a copy of the GNU Lesser General Public
+License along with this library (see the the license.txt file); if not, write
+to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+MA 02111-1307 USA
+#######**** NOTE THIS ADD-ON ****#######
+The GNU Lesser General Public License or LGPL is written for software libraries
+in the first place. The LGPL has to be considered valid for this artwork
+library too.
+Nuvola icon theme for KDE 3.x is a special kind of software library, it is an
+artwork library, it's elements can be used in a Graphical User Interface, or
+GUI.
+Source code, for this library means:
+ - raster png image* .
+The LGPL in some sections obliges you to make the files carry
+notices. With images this is in some cases impossible or hardly usefull.
+With this library a notice is placed at a prominent place in the directory
+containing the elements. You may follow this practice.
+The exception in section 6 of the GNU Lesser General Public License covers
+the use of elements of this art library in a GUI.
+dave [at] icon-king.com
+
+Date: 15 october 2004
+Version: 1.0
+
+DESCRIPTION:
+
+Icon theme for KDE 3.x.
+Icons where designed using Adobe Illustrator, and then exported to PNG format.
+Icons shadows and minor corrections were done using Adobe Photoshop.
+Kiconedit was used to correct some 16x16 and 22x22 icons.
+
+LICENSE
+
+Released under GNU Lesser General Public License (LGPL)
+Look at the license.txt file.
+
+CONTACT
+
+David Vignoni
+e-mail : david [at] icon-king.com
+ICQ : 117761009
+http: http://www.icon-king.com
+
+
+
+
+
Boost
+
+
Boost Software License - Version 1.0 - August 17th, 2003
+
+Permission is hereby granted, free of charge, to any person or organization
+obtaining a copy of the software and accompanying documentation covered by
+this license (the "Software") to use, reproduce, display, distribute,
+execute, and transmit the Software, and to prepare derivative works of the
+Software, and to permit third-parties to whom the Software is furnished to
+do so, all subject to the following:
+
+The copyright notices in the Software and this entire statement, including
+the above license grant, this restriction and the following disclaimer,
+must be included in all copies of the Software, in whole or in part, and
+all derivative works of the Software, unless such copies or derivative
+works are solely in the form of machine-executable object code generated by
+a source language processor.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
+SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
+FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
+
+
+
+
Twofish Implementation
+
+
Fast, portable, and easy-to-use Twofish implementation,
+Version 0.3.
+Copyright (c) 2002 by Niels Ferguson.
+
+The author hereby grants a perpetual license to everybody to
+use this code for any purpose as long as the copyright message is included
+in the source code of this or any derived work.
+
+
+
+
+
SHA-2 Implementation
+
+
Copyright (c) 2003, Dr Brian Gladman, Worcester, UK. All rights reserved.
+
+LICENSE TERMS
+
+The free distribution and use of this software in both source and binary
+form is allowed (with or without changes) provided that:
+
+ 1. distributions of this source code include the above copyright
+ notice, this list of conditions and the following disclaimer;
+
+ 2. distributions in binary form include the above copyright
+ notice, this list of conditions and the following disclaimer
+ in the documentation and/or other associated materials;
+
+ 3. the copyright holder's name is not used to endorse products
+ built using this software without specific written permission.
+
+ALTERNATIVELY, provided that this notice is retained in full, this product
+may be distributed under the terms of the GNU General Public License (GPL),
+in which case the provisions of the GPL apply INSTEAD OF those given above.
+
+DISCLAIMER
+
+This software is provided 'as is' with no explicit or implied warranties
+in respect of its properties, including, but not limited to, correctness
+and/or fitness for purpose.
+---------------------------------------------------------------------------
+Issue 01/08/2005
+
+
+
+
+
CSendKeys
+
+
Copyright (c) 2004 lallous <lallousx86@yahoo.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+---------------------------------------
+
+The Original SendKeys copyright info
+
+SendKeys (sndkeys32.pas) routine for 32-bit Delphi.
+Written by Ken Henderson
+Copyright (c) 1995 Ken Henderson <khen@compuserve.com>
+
+
+
+
+
Command Line Classes
+
+
Copyright (c) 2006, Bill Rubin <rubin@contractor.net>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ * Neither the name of Quality Object Software, Inc., nor the names of
+ its contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+
+
+
+
Argon2 Implementation
+
+
Argon2 reference source code package - reference C implementations
+
+Copyright 2015
+Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
+
+You may use this work under the terms of a Creative Commons CC0 1.0
+License/Waiver or the Apache Public License 2.0, at your option. The terms of
+these licenses can be found at:
+
+- CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+- Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
+
+The terms of the licenses are reproduced below.
+
+--------------------------------------------------------------------------------
+
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+ CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+ LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+ ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+ INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+ REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+ PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+ THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+ HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+ i. the right to reproduce, adapt, distribute, perform, display,
+ communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+ likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+ subject to the limitations in paragraph 4(a), below;
+ v. rights protecting the extraction, dissemination, use and reuse of data
+ in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+ European Parliament and of the Council of 11 March 1996 on the legal
+ protection of databases, and under any national implementation
+ thereof, including any amended or successor version of such
+ directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+ world based on applicable law or treaty, and any national
+ implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+ surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+ warranties of any kind concerning the Work, express, implied,
+ statutory or otherwise, including without limitation warranties of
+ title, merchantability, fitness for a particular purpose, non
+ infringement, or the absence of latent or other defects, accuracy, or
+ the present or absence of errors, whether or not discoverable, all to
+ the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+ that may apply to the Work or any use thereof, including without
+ limitation any person's Copyright and Related Rights in the Work.
+ Further, Affirmer disclaims responsibility for obtaining any necessary
+ consents, permissions or other rights required for any use of the
+ Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+ party to this document and has no duty or obligation with respect to
+ this CC0 or use of the Work.
+
+--------------------------------------------------------------------------------
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
If you like KeePass and would like to help the developers in some way:
+
+
+
Donate
+This is the best way of helping, if you don't have that much time or experience
+in application development.
+
Make a translation
+If you have some free time, you could make a translation of KeePass (of course only if you're
+language isn't offered already).
+
+
Test new releases and report bugs
+KeePass is under constant development, new features get implemented, bugs get fixed. If you
+have some free time, you could
+test new releases thoroughly and report bugs. If you're a programmer, look through the sources to
+find bugs and maybe even submit fixes.
+
Spread the word
+If you like KeePass, tell all your friends how great KeePass is, publish articles
+about it, press it on CDs/DVDs, ship USB sticks preinstalled with it, submit it to software
+archives, talk in forums about it, etc.!
+
+
+
+
+
+
+May KeePass be used in a company?
+
+
Yes. KeePass is free software and you don't have to pay any
+fees. You may freely use KeePass under the terms of its
+
+
+
+
+license.
+
+
+
+
+
But of course, if you like KeePass,
+donations
+are always greatly appreciated.
+
+
+
+
+
+
+You might be interested in this page:
+Customization (2.x).
+
+
+
+
+
+
+What about a centralized KeePass Internet server?
+
+
The idea on the first glance sounds simple and useful: there should be a centralized
+KeePass Internet server, on which all users can store their passwords. By having
+Internet connection, you'd have access to all your passwords.
+
+
Note that this idea is different from simply providing webspace. KeePass 2.x already
+supports storing databases on servers using HTTP/FTP. The point is
+having one server for all users.
+
+
When creating such a server, there are several difficulties:
+
+
+
A fairly complex synchronization and caching mechanism will be required.
+You won't want to transfer the complete database, otherwise the service will be unusable
+for everyone storing attachments, etc.
+
+
Directly related to the previous point: in order to do synchronization, the server needs
+to be able to read and understand databases, i.e. some dedicated KeePass server
+would need to be written. While the transport way could be secure HTTPS, the server
+certainly has some user data as plain text in memory for some time. One needs
+to be very careful here. What to do if the server gets compromised? The security
+implications would be horrible, if an attacker could read any user data.
+
+
How to avoid server compromises? If a normal Internet server is compromised,
+the security implications are minimal: in the worst case all user accounts and data for this
+website are lost. But with a KeePass server, whole identities would be lost. An attacker
+couldn't only impersonate someone on this particular server, but on the complete Internet
+and real world, depending on what is stored in the databases.
+
+Therefore, banking-level security systems would be required for a KeePass server.
+Keeping PHP / ASP / Linux / Windows (or whatever will be used) up-to-date definitely
+is not enough here.
+
+
+
Basically you offer people webspace for their databases, therefore the service
+obviously will cost something. By charging people, they expect reliability and you
+need to make up-time guarantees. Therefore, at least 2 servers are required (by
+different hosters), which need to be synchronized.
+
+
+
Summary: a centralized Internet server currently is out of range. If someone wants
+to start a company providing such a service, feel free to use KeePass as base
+application (of course respect the Open Source terms).
+
+
But what can and probably will be done later is a local intranet KeePass server (for
+companies for example).
+Employees could log in to the company's password server and use it. But a centralized Internet
+server – no chance.
+I've saved my options, but when I reopen KeePass I get the old options. What's wrong?
+
+
KeePass supports two different locations for storing configuration information:
+the global configuration file in the KeePass directory and a local, user-dependent
+one in the user's private configuration folder. Most likely you do not have write
+access to your global configuration file.
Symptoms: When trying to run KeePass 2.x on Windows ≤ XP,
+an error message like the following is displayed:
+"A required .DLL file, MSCOREE.DLL, was not found" or
+"The application failed to initialize properly (0xc0000135)".
+
+
Cause: KeePass 2.x requires Microsoft .NET Framework ≥ 2.0.
+
+
Resolution: Install Microsoft .NET Framework 2.0 or higher.
+It is available as a free download from the Microsoft website:
+
+Microsoft .NET Framework.
+Alternatively, you can install it through
+Windows Update (the framework is an optional component).
+
+
KeePass 1.x does not require this framework.
+
+
+
+
+
+Why does KeePass 2.x crash when starting it from a network drive/share?
+
+
Symptoms: When trying to run KeePass 2.x from a network drive/share,
+you get an error message like the following:
+"Application has generated an exception that could not be
+handled" or
+"KeePass has encountered a problem and needs to close".
+
+
Cause: The strict default security policy by the Microsoft .NET
+Framework disallows running .NET applications from a network drive/share.
+
+
Recommended resolution: Copy/install KeePass 2.x onto a local hard
+disk, and run the copy.
+
+
Alternative, not recommended resolution:
+Configure the security policy to allow running .NET applications from
+network drives/shares. Ask your administrator to do this (administrative
+rights are required). If you have administrative rights and want to do
+it yourself, you can use the
+
+Code Access Security Policy Tool (Caspol.exe)
+that ships with the .NET framework (helpful instructions can be found
+
+
+here and
+
+
+
+here).
+
+
+
+
+
+Does KeePass 2.x use FIPS-validated algorithm implementations?
+
+
KeePass uses many algorithms. This FAQ answer focuses on the algorithms
+used for encrypting/decrypting a database file.
+Typically, KeePass primarily uses AES-256, SHA-256, HMAC-SHA-256 and SHA-512
+here (unless the user has specified a different
+encryption algorithm or a different
+key derivation function in the
+database settings).
+For these algorithms, the .NET Framework provides classes, and KeePass
+uses these.
+
+
Since version 4.8, the .NET Framework supports using FIPS-validated
+implementations of the algorithms above
+(see 'What's new in .NET Framework 4.8').
+
+
For compatibility with older .NET Framework versions, KeePass ignores
+the FIPS mode by default. If all your PCs have the .NET Framework 4.8 or higher
+installed, you can enable the usage of FIPS-validated algorithm
+implementations by opening the 'KeePass.exe.config' file using a text editor
+and deleting the line
+'<enforceFIPSPolicy enabled="false" />'.
+
+
Implementations of other algorithms (such as ChaCha20 and Argon2) are not
+FIPS-validated. If Microsoft provides validated implementations of those
+algorithms in the future, we will consider using them.
+
+
+
+
+
+
+Why doesn't the CHM help file work?
+
+
Symptoms: When trying to open the KeePass CHM help file from
+a remote computer or shared network drive, it's not displayed correctly
+(navigation aborted, ...).
+Where can I find more application icons for Windows shortcuts?
+
+
+
+
+Application icons are icons in Windows ICO format. They can be used in
+Windows shortcuts and/or as file association icons. The KeePass executable
+contains various application icons which can be used for these purposes.
+
+Additional application icons are available from the "Ext/Icons_*"
+directories of the KeePass source code package.
+Most of them, shown at right, are slight variations of the main KeePass icon.
+
+Even more, contributed icons (by users) can be found on the
+plugins page.
+
+If you have multiple KeePass databases, you can use differently colored KeePass
+application icons in order to distinguish them.
+
+These icons are not included in the binary distribution because this would make
+the application file too large.
+
+
+
+
+
+
+
+
+
+How can I add more client icons for password entries?
+
+
+
+
+Client icons are the icons used for password entries and groups within KeePass.
+Each entry can be assigned its own icon.
+
+
+
+
+You can import your own icons into KeePass databases. For this, click the 'Add...'
+button in the icon picker dialog.
+
+Supported formats are BMP, EMF, GIF, ICO, JPEG, PNG, TIFF and WMF.
+
+
+
+
+
+
+
+
+
+
+
+This does not apply to KeePass 2.x.
+
+
+
+
+
+
+Why doesn't Auto-Type work correctly on Polish systems?
+
+
On Polish systems, the default auto-type hot key
+Ctrl+Alt+A
+conflicts with a system command and is frequently used in typing.
+Therefore, auto-type is often executed accidentally.
+
+
The global auto-type hot key can be changed to a different key combination
+in the KeePass options (see
+Auto-Type for details).
+
+
+
+
+
+
+Why doesn't printing work in KeePass 1.x?
+
+
Symptoms: When trying to print a password list in KeePass 1.x,
+nothing happens after clicking OK in the 'Print Options' dialog.
+
+
Cause: KeePass 1.x uses the application associated with .html
+files to print the password list. If this application doesn't support the
+"print" shell verb (like Mozilla Firefox), nothing happens.
+
+
Resolution: Associate .html files with a different
+application that supports the "print" shell verb (like Internet Explorer).
+
+
Alternative Resolution / Workaround:
+Click 'File' → 'Print Preview' in KeePass 1.x and
+manually print the document in the application that just opened the file.
+
+
+
+
+
+
+Why does KeePass try to connect to the Internet?
+
+
KeePass has an option to automatically check for updates on each program start.
+In order to check for updates, KeePass downloads a small version information
+file and compares the available version with the installed version.
+No personal information is sent to the KeePass web server.
+
+
Automatic update checks are performed unintrusively in the background.
+A notification is only displayed when an update is available. Updates are not
+downloaded or installed automatically.
+
+
The option is disabled by default. You can enable/disable it in
+'Tools' → 'Options' → tab 'Advanced'.
+
+
+
+
+
+Does the GUI support dark themes?
+
+
Yes. KeePass supports all system themes, including dark ones.
+
+
+
On Windows 11, a (dark) theme can be selected in the
+Windows Settings → 'Accessibility' → 'Contrast themes'.
+
On Windows 10, a (dark) theme can be selected in the
+Windows Settings → 'Ease of Access' → 'High contrast'.
+
On Windows 7, 8 and 8.1, a (dark) theme can be selected in the
+Windows Control Panel → 'Appearance and Personalization' → 'Personalization'.
+
+
+
+
Example (Windows 11, 'Dusk' theme):
+
+
+
+
+
+
Option 'Choose your (default app) mode' → 'Dark'.
+Windows 11 has an option 'Choose your mode' (on Windows 10, it is called
+'Choose your default app mode'), which can be set to 'Dark'.
+Note that this option applies to UWP apps only, not to regular Windows applications.
+Windows allows the UWP option to contradict the system theme
+(e.g. a light system theme may be active even when the UWP option is set to 'Dark').
+KeePass is a regular Windows application, not a UWP app,
+thus it follows the system theme, not the UWP option.
+This is the expected behavior; KeePass does not have anything to do
+with UWP options.
+
+
Custom appearance.
+If you want to change KeePass' appearance independent of the active
+system theme, you might be interested in the
+KeeTheme plugin.
+
+
+
+
+
+How to change the GUI font (size)?
+
+
KeePass uses the default graphical user interface (GUI) font that has
+been specified in the operating system settings.
+So, if you want to change the font (especially the size of the font)
+that KeePass uses, change it globally.
+
+
+
On Windows 11, the font size can be changed in the Windows Settings →
+'System' → 'Display' → 'Scale & layout' →
+option 'Scale'.
+Restart Windows after changing this option.
+
+Do not use the option 'Text size' (in the
+Windows Settings → 'Accessibility' → 'Vision'),
+because this option does not scale all texts properly.
+
+
On Windows 10, the font size can be changed in the Windows Settings →
+'System' → 'Display' → 'Scale & layout' →
+option 'Change the size of text, apps, and other items'.
+Restart Windows after changing this option.
+
+Do not use the option 'Make text bigger' (in the
+Windows Settings → 'Ease of Access' → 'Display'),
+because this option does not scale all texts properly.
+
+
On Windows 7, 8 and 8.1, the font size can be changed in the
+Windows Control Panel → 'Appearance and Personalization' → 'Display'.
+
+
On Linux systems with KDE 5 or higher, the font can be
+changed in the system settings → 'Fonts'.
+
+
On Linux systems with GNOME 3 or higher, the font can be
+changed using GNOME Tweaks → 'Fonts'.
+
+
+
In addition to supporting these system settings, KeePass allows
+to customize the fonts that are used in lists and for passwords
+(in the options dialog; these settings affect KeePass only,
+no other applications).
+
+
+
+
+
+
+
+Is Auto-Type keylogger-safe?
+
+
Is the Auto-Type feature resistant to keyloggers?
+
+
+
+
+
+
+By default: no. The Auto-Type method in KeePass 2.x works the same as the one in
+1.x and consequently is not keylogger-safe.
+
+However, KeePass features an alternative method called
+Two-Channel Auto-Type Obfuscation (TCATO),
+which renders keyloggers useless. This is an opt-in feature (because it
+doesn't work with all windows) and must be enabled for entries manually.
+See the TCATO documentation for details.
+
+
+
+
+
+
+Can Auto-Type locate child controls?
+
+
No. Auto-Type only checks whether the title of the currently active top level
+window matches.
+
+
Browsers like Mozilla Firefox completely draw the window (all controls)
+themselves, without using standard Windows controls. Consequently it is
+technically impossible for KeePass to check whether a URL matches (methods
+like creating a screenshot and using optical character recognition
+are not reliable and secure). Also, it's impossible to check which child
+control currently has the focus. These problems can only be avoided by using
+browser integration plugins, i.e. not using auto-type at all.
+
+
The user must make sure that the focus
+is placed in the correct control before starting auto-type.
+
+
+
+
+
+Could you add the ... encryption algorithm to KeePass?
+
+
+
+
+
+
+
+
+AES (Rijndael) and ChaCha20 are supported.
+There exist various
+plugins
+that provide support for additional encryption algorithms,
+including but not limited to Twofish, Serpent and GOST.
+
+If you'd like to implement an algorithm, have a look at the ArcFourCipher sample plugin.
+
+
+
+
+
+
+Why doesn't KeePass lock while a sub-dialog is open?
+
+
KeePass has various options to lock its workspace automatically
+(after some time of inactivity, when the computer gets locked or the user
+is switched, when the computer gets suspended, etc.).
+However, the workspace is not locked automatically while a sub-dialog
+(like the 'Edit Entry' dialog) is open.
+
+
To understand why this behavior makes sense, it is first important to know what happens
+when the workspace gets locked. When locking, KeePass completely closes the database
+and only remembers several view parameters, like the last selected group, the top visible
+entry, selected entries, etc. From a security point of view, this achieves the best
+security possible: breaking a locked workspace is equal to breaking the database itself.
+
+
Now back to the original question. Let's assume a sub-dialog is open and
+one of the events occurs that should automatically lock the workspace.
+What should KeePass do now?
+In this situation, KeePass cannot ask the user what to do,
+and must make an automatic decision. There are several possibilities:
+
+
+
Do not save the database and lock.
+In this case, all unsaved data of the database would be lost. This not only applies to
+the data entered in the current dialog, but to all other entries and groups
+that have been modified previously.
+
+
Save the database and lock.
+In this case, possibly unwanted changes are saved. Often you open files, try something,
+having in mind that you can just close the file without saving the changes.
+KeePass has an option 'Automatically save database when KeePass closes or the workspace
+is locked'. If this option is enabled and no sub-dialog is open, it's clear what to do:
+try to save the database and if successful: lock the workspace. But what to do with
+the unsaved changes in the sub-dialog? Should it be saved automatically, taking away the
+possibility of pressing the 'Cancel' button?
+
+
Save to a temporary file and lock.
+This appears to be the best alternative at first glance, but there are several problems with
+it, too. First of all, saving to a temporary file could fail (for example, there could be too
+few free disk space, or some other program like a virus scanner could block it).
+Secondly, saving to a temporary file isn't uncritical from a security point of view.
+When having to choose a location, typically the user's temporary directory on the hard
+disk is chosen (because it likely has enough free space, required rights for access, etc.).
+KeePass databases could be leaked and accumulated there.
+It's not clear what should happen when the computer is being shutdown or crashes while being
+locked. When the database is opened the next time, should it use the database stored in
+the temporary directory instead? What should happen if the 'real' database has been modified
+in the meanwhile (a quite realistic situation if you're carrying your database on an
+USB stick)?
+
+
+
Obviously, none of these alternatives is satisfactory.
+Therefore, KeePass implements the following simple and easy to understand behavior:
+
+
KeePass doesn't lock while a sub-dialog is open.
+
+
This simple concept avoids the problems above. The user is responsible for the
+state of the program.
+
+
+
+
Note that opening a sub-dialog is typically only required for
+editing something; it is not required for using
+entries, as the main window provides
+various methods for this.
+
+
Locking when Windows locks.
+On Windows XP and older, the Windows service 'Terminal Services'
+should be enabled. If this service is disabled, locking KeePass
+when Windows locks might not work. This service isn't required on newer
+operating systems.
+
+
+
+
+
+Printing creates a temporary file. Will it be erased securely?
+
+
KeePass creates a temporary HTML file when printing password lists and showing
+print previews. This file is securely deleted when closing the database.
+
+
You must wait for the file being printed completely before closing KeePass
+(and close the print preview before closing KeePass), otherwise it could happen
+that the printing application blocks KeePass from deleting the file.
+
+
There is no way around the temporary file in the current printing system.
+If you want to write a plugin that directly sends the data to the printer, you can
+find a plugin development tutorial here:
+KeePass 2.x Plugin Development.
+
+
+
+
+
+
+
+Why the estimated quality of a password suddenly drops?
+
+
For estimating the quality/strength of a password, KeePass not only uses
+statistical methods (like checking which character ranges are used,
+repeating characters and differences), it also has a built-in list of
+common passwords and checks for patterns. When completing a common password or a
+repetition, the estimated quality can drop.
+How to store and work with large amounts of (formatted) text?
+
+
+
+
+
+
+
+
+
+
+KeePass has a built-in editor that allows working conveniently with
+large amounts of (formatted) texts.
+
+To add a large text to an entry, import the file as attachment
+(or click 'Attach' → 'Create Empty Attachment').
+The built-in editor supports *.TXT (simple text) and *.RTF (formatted text) files.
+
+In order to edit an attachment, right-click onto the entry in the main window,
+point on 'Attachments' and click 'YourFile.*'. Alternatively,
+if the text file
+is the only attachment, you can open it by just double-clicking onto
+it in the main window (enable showing the attachment column in 'View' →
+'Configure Columns' → 'Attachments'). Alternatively, it's also possible to click the name of
+the attachment in the entry details view in the main window.
+
+For TXT files, the built-in editor supports standard operations like cut,
+copy, paste, undo, word wrap, etc. For RTF files, additionally standard formatting
+commands are available: choosing the font, font size, bold, italic, underline,
+strikeout, text and background colors, align left/center/right, etc.
+
+
+
+
+
+
+
+
+
+
+Can an e-mail address field be added?
+
+
A few times it has been requested that a standard entry field for e-mail addresses
+is added (on the main tab page in the entry editing dialog).
+The short answer: an e-mail address field will not be added
+due to usability reasons. Now the long answer.
+
+
First of all, let's assume that most of the entries stored in KeePass
+contain information for logging in to websites.
+When you register an account for a website, you often have to specify a
+user name as well as an e-mail address. When you regularly
+log in later, you usually only need to provide either user name + password
+or e-mail + password (never user name + e-mail + password).
+Here the first part (which is either user name or e-mail) serves as
+identification: you tell the website who you are.
+The second part (password) provides authentication: you prove to the
+website that you're really the one who you claim to be.
+
+
There are various methods how KeePass can transfer data to
+other applications. All of these methods by default assume that the content
+of the user name field is used for identification. For example,
+the default auto-type sequence of
+an entry is
+{USERNAME}{TAB}{PASSWORD}{ENTER}, the default
+KeeForm
+configuration uses the user name, etc.
+Now on the one hand some websites require an e-mail address instead
+of a user name. On the other hand we want the default data transfer configuration
+to work for most websites (such that the work that the user has to put
+into the configuration is kept minimal and only needed for
+websites using special login forms).
+
+
The solution is simple: instead of interpreting the 'User Name' field
+strictly as a field containing a user name, users should rather interpret
+it as a field in which the data required for identification is stored.
+This data can consist of a user name, an e-mail address or something else
+(e.g. an account number for an online banking website).
+By handling it like this, the default data transfer configuration will work for most
+websites, i.e. zero amount of work needs to be put into
+the configuration.
+If you had to provide both a user name and an e-mail address at
+registration time, the other information (which isn't required
+on a regular basis) can be stored e.g. in
+the notes field or a custom string field of the KeePass entry.
+
+
Now assume a separate e-mail field would be added.
+When users store both a user name and an e-mail address,
+KeePass cannot know which of the two is required for identification.
+So, in order to setup data transfer for the entry, users would be forced
+to choose which of the two fields should be used.
+
+
So, adding an e-mail field would be a step back in usability,
+because it forces users to put additional time into data transfer configuration.
+The current system ('User Name' containing identification information,
+without a separate e-mail field) doesn't require this, and thus is
+the better solution.
+
+
For users that are willing to manually configure the data transfer for each
+entry, there are multiple ways to get a separate e-mail address field.
+After switching to the 'Advanced' tab in the entry editing dialog,
+an e-mail address field can be added as custom string.
+If the field should appear on the main tab page of the dialog, the
+KPEntryTemplates plugin can be used.
KeePass can insert data stored in different
+entries into fields of an entry.
+This means that multiple entries can share a common
+field (user name, password, ...), and by changing the actual data entry,
+all other entries will also use the new value.
+
+
To create a field reference, you can either use the
+convenient field references wizard (in the entry editing window,
+click the 'Tools' button at the bottom left and select
+'Insert Field Reference'), or insert the placeholder manually
+(see the syntax below).
+
+
Note that field references are intended for referencing data stored
+in different entries. If you want to insert data from the
+same/current entry, you should use local placeholders, like
+{TITLE} and {S:FieldName};
+see Placeholders.
+
+
+
+
+
+Placeholder Syntax
+
+
The placeholder syntax for field references is the following:
+
+
{REF:<WantedField>@<SearchIn>:<Text>}
+
+
The WantedField and SearchIn parts need to be replaced by
+1-letter codes identifying the field:
+
+
+
+
Code
Field
+
T
Title
+
U
User name
+
P
Password
+
A
URL
+
N
Notes
+
I
UUID
+
O
Other custom strings (KeePass 2.x only)
+
+
+
The Text part is the search string, which describes the text(s)
+that must occur in the specified field of an entry to match.
+
+
If multiple entries match the specified search criterion, the first
+entry will be used.
+To avoid ambiguity, an entry can be identified by its UUID, which is unique.
+Example:
+{REF:P@I:46C9B1FFBD4ABC4BBB260C6190BAD20C} would insert the
+password of the entry having 46C9B1FFBD4ABC4BBB260C6190BAD20C as UUID.
+
+
+Referencing fields of other entries only works with standard fields, not
+with custom user strings.
+If you want to reference a custom user string, you need
+to place a redirection in a standard field of the entry with the custom string,
+using {S:<Name>},
+and reference the standard field.
+
+Custom strings can locally (i.e. within an entry) be referenced using
+{S:<Name>},
+see the page Placeholders for details.
+
+You can use the O code to make KeePass search the database for
+custom string fields (to identify the referenced source entry),
+but O cannot be used to retrieve data from custom fields (i.e. the
+code can't be used as WantedField).
+
+
+
+
+
+
+
+
+Example
+
+
Let's assume you have two entries: one with title "Example Website"
+and one with "Example Forum", and you want to insert the user name
+of the website account into the URL of the forum entry. Within the forum entry's
+URL, you could reference the user name like this:
+https://forum.example.com/?user={REF:U@T:Example Website}
A short tutorial showing you the basic usage of KeePass.
+
+
+
This short tutorial will show you how to actually use KeePass. It describes
+only the basic usage, advanced features are covered on separate pages.
+
+
+
Creating a new database
+
+
The very first step is creating a new password database. KeePass will store all
+your passwords in such a database. To create one, click
+'File' → 'New...' in the main menu or click the leftmost toolbar button.
+A window will appear, which prompts you for a master password and/or key file.
+The database will be encrypted with the password you enter here. The password
+you enter here will be the only password you'll ever have to remember from on
+now. It should be long and built up of mixed characters. Keep in mind that when
+someone gets your database file and guesses the password, he could access all
+passwords you stored in the database.
+
+
For this tutorial, we'll just use a password, not a key file. Click into the password edit
+field and enter a password of your choice. The password edit control isn't limited in length, so
+feel free to even enter a whole sentence (just keep in mind that you'll need to
+remember it).
+
+
+
+
+
+
+After clicking [OK], a second dialog appears. In this dialog you can configure
+some generic database properties. For now, just leave everything as it is and
+click [OK].
+
+
+
Now you see the main window. On the left, you see the entry groups. On the
+right, you see the actual password entries. The password entries are
+grouped together into the password groups you see on the left. So, depending
+on which group on the left you selected, it'll show you the entries in this group
+in the right view. KeePass has created a few default groups for you, but you're
+totally free to delete them and create your own ones.
+
+
+
Adding an entry
+
+
Time to store your very first password in the KeePass database! Right-click
+into the right password entry view and choose 'Add Entry...'. A window
+will pop up. In this window you can now edit your entry: enter a title for
+it, a user name, a URL, the password, etc. If you don't need some of the
+fields, just leave them empty. When you're done, click [OK].
+
+
+
Using entries
+
+
Your new entry is displayed in the
+main entry list now.
+There are various ways how you can use it.
+
+
For example, you can copy the user name of the entry into the clipboard.
+In order to invoke the 'Copy User Name' command, double-click onto the
+user name cell in the main entry list.
+Alternatively, the command can be invoked via the main menu,
+the context menu, the toolbar button, or by pressing
+Ctrl+B.
+When the user name is in the clipboard, you can paste it into the
+target window.
+
+
Copying passwords and other fields works analogously.
+
+
Alternatively, you can drag&drop fields into other windows.
+For details, see Drag&Drop.
+
+
+
Saving the database
+
+
It's time to save your database. Click onto the 'Save' toolbar button
+(which has a disk icon).
+
+
+
More
+
+
That's it! You've made the first steps in using KeePass! You can now have a look
+at the more advanced features of KeePass.
+
+
Passwords and Key Files: In the tutorial above we've encrypted
+the database using a password. But KeePass also supports key files, i.e. you can
+lock your database using a file (which you can carry around on your USB stick
+for example). It even supports combining those two methods for maximum security.
+
+
TAN Entries: TAN entries are one-time passwords. Many
+banks are using TANs for better security. KeePass supports TAN entries, by
+making them expire automatically when using them.
+
+
Auto-Type: The auto-typing functionality is a very
+powerful feature. In the tutorial above you've copied the user name and password
+of an entry to the clipboard. Wouldn't it be nice if KeePass would just type
+those strings for you into other windows? Wouldn't it be nice if you could define
+whole sequences of keypresses that KeePass should type for you? That's exactly
+what the auto-type feature does: it sends simulated keypresses for you to
+other windows!
+
+
URL Field: The URL field supports URLs
+of course. In the tutorial, you've learned that you can enter simple URLs into
+this field and KeePass will open the browser window for you. But the URL field
+can do more! It actually supports many different protocols (not just http)
+and supports executing
+Windows command lines through the cmd:// virtual protocol. The
+field also features a powerful substitution engine, replacing codes
+by other fields (user name, password, ...) of this entry.
+
+
Command Line Parameters: You can open .kdb(x) files by
+passing the file name to the KeePass executable file. But did you know that you can
+also send the password for the database and key file location over the command line?
+You can also use the command line to preselect a key file for you.
+
+
+
+
+
Plugins:
+
+
+KeePass features a powerful plugin architecture.
+If you miss some functionality, have a look at the plugins page to see if there
+are other people that have already written plugins for this. Many plugins exist
+to import/export data from/to other file formats.
Unfortunately there isn't any standard password database format. Every password
+manager uses its own file format. Anyway, almost all support exporting to CSV or XML
+files. This sounds good at first glance, but CSV and XML files aren't specialized password
+database formats, they only specify a low-level layout of the stored data (for CSV: data fields
+are separated by commas; for XML: hierarchical form using tags). These formats do not
+specify the high-level arrangement of the data (for CSV: order/meaning of the fields; for
+XML: tag names and structure). Because of this, many users are confused when application #1
+exports data to CSV/XML and application #2 can't read the CSV/XML file, although it claims
+that it can read those files.
+
+
This help page details the expected CSV and XML file formats. Knowing the formats which
+KeePass expects, you can reformat CSV and XML files exported by other password managers to
+match the KeePass formats. CSV files can be reformatted using e.g. LibreOffice Calc
+(see below).
+XML files can be reformatted using an XML editor.
+
+
KeePass can import many password database formats directly (see top of this page).
+Additionally, there are specialized KeePass
+plugins available
+for importing more formats (like AnyPassword CSV, Oubliette files, PINs TXT, ZSafe files,
+and many more). Using these plugins, you don't need to manually reformat the output of
+other password managers; you can directly import the exported files.
+
+
If no import plugin exists for importing data from your previous password manager,
+feel free to post a request for it in the
+KeePass Feature Requests Tracker
+or in the
+Open
+Discussion forum.
+
+
+
+
+
+File Format: CSV (KeePass 1.x)
+
+
KeePass imports and exports data from/to CSV files in the following format:
The 'Account' field in a CSV file corresponds to the title field of
+a KeePass entry, 'Login Name' corresponds to the user name,
+'Web Site' corresponds to the URL, and 'Comments' correspond to the notes.
+The CSV field names differ from the KeePass entry field names
+in order to ensure the compatibility with certain other applications.
+
+
For a detailed example, download this file:
+
+FileSample_CSV.zip.
+This file is zipped only in order to ensure correct encoding (if not zipped, browsers or
+download managers could automatically convert the file to a different encoding). When importing
+a CSV file, it must not be zipped!
+
+
Important notes about the format:
+
+
+
The file must be encoded using UTF-8 (Unicode). Other encodings are not supported.
+
CSV files only support the following fields: title, user name, password, URL and notes.
+Other fields like last entry modification time, expiration time, icon, entry file attachments,
+etc. are not supported. If you want to transfer such information, you have to use
+a different format (like XML).
+
All fields must be enclosed in quotes ("). These quotes are mandatory, unquoted fields are not allowed.
+
Quotes (") in strings are encoded as \" (two characters).
+Backslashes (\) are encoded as \\.
+
Multiline comments are realized through normal line breaks. Encoding line breaks
+by \n is not supported.
+
+
+
Microsoft Excel by default does not enclose fields in quotes (").
+It is recommended that you use
+LibreOffice Calc
+to create a correct CSV file (see below), or use the Generic CSV Importer
+of KeePass 2.x (import your CSV file into KeePass 2.x, then export the data to a
+KeePass 1.x KDB file), or fix the CSV file by manually adding the quotes using a text editor.
+
+
If you want to transfer data between KeePass 1.x databases, you must
+not change the default export options of KeePass.
+Do not export additional fields or uncheck any options, otherwise
+KeePass will not be able to re-import the CSV file, because it does not comply to the
+specification above any more.
+
+
Using LibreOffice Calc to create a CSV file:
+LibreOffice Calc
+can be used to create CSV files that can be imported correctly into KeePass. Follow these steps:
+
+
+
Make sure you got 5 columns as described above.
+
Select everything, right-click and select 'Format Cells'. In the dialog, choose Text
+as category. Click [OK].
+
Go 'File' → 'Save As...', choose a location and the
+'Text CSV' file type, and make sure that the check box
+'Edit Filter Settings' is enabled. Click the 'Save' button.
+
Choose 'Unicode (UTF-8)' as character set. The field separator must be set to a comma.
+The text separator must be ". Make sure that the
+'Quote all text cells' option is checked, and that the 'Fixed column width'
+option is not checked. Click [OK].
+
+
+
+
+
+
+File Format: XML (KeePass 1.x)
+
+
This section describes the KeePass 1.x XML format. Note that this format
+is different from the XML format used by KeePass 2.x (anyway, KeePass 2.x
+can import KeePass 1.x XML files).
+
+
You can download a detailed XML sample file here:
+
+FileSample_XML.zip.
+This file is zipped only in order to ensure correct encoding (if not zipped, browsers or
+download managers could automatically convert the file to a different encoding). When importing
+a XML file, it of course must not be zipped!
+
+
Important notes about the format:
+
+
+
The files must be encoded using UTF-8 (Unicode). Other encodings are not supported.
+
The following five entities must be encoded: < > & " '. They are encoded
+by < > & " '.
+
The UUID is a hex-encoded 16-byte string (i.e. an 32 ANSI hex
+character string in the XML file). It
+is unique (also across multiple databases) and can be used to identify entries.
+
Dates/times are encoded in the standard date/time XML format (YYYY-MM-DDTHH:mm:ss):
+first the date in form YYYY-MM-DD, a 'T' character, and the
+time in form HH:mm:ss.
+
+
+
+
+
+
+Generic CSV Importer
+
+
KeePass 2.x features a generic CSV importer.
+This tool can import almost all CSV formats. The CSV
+files are loaded and you can manually specify the encoding / character set, assign columns
+to data fields, and specify how the low-level structure looks like (usage of quotes, etc.).
+
+
To start the generic CSV file importer, click 'File' → 'Import' and
+choose 'Generic CSV Importer'.
+
+
+
+
+
+
Details about the generic CSV importer (with descriptions of the
+options, examples, etc.) can be found on the
+Generic CSV Importer help page.
+
+
+
+
+
+How to Import CodeWallet TXT
+
+
CodeWallet is a password manager that supports different card types (fields).
+KeePass cannot know which of the CodeWallet fields correspond to the KeePass
+standard fields (title, user name, ...), because they don't have fixed names (language-dependent,
+user-customizable, ...).
+Therefore all fields from the CodeWallet file are imported into custom string fields
+of KeePass entries. After importing the file, you can move some of the strings
+to the correct standard fields (by clicking the 'Move' button on the second tab page
+of the entries dialog.
+
+
+
+
+
+
+
+How to Import PINs TXT
+
+
In order to successfully import a PINs TXT file, you need to do the following:
+
+
+
Switch PINs language to 'English'.
+
In PINs export dialog: Enable all fields.
+
In PINs export dialog: Set separator to 'tab'.
+
In PINs export dialog: Enable 'Quote texts'.
+
+
+
After exporting a TXT file using the settings above, import it using
+'File → Import' in KeePass 2.x.
+
+
+
+
+
+How to Import Data from RoboForm
+
+
+
+
Export your logins to a HTML file. To do this, open
+RoboForm's Passcard Editor ('Edit Passcards' or 'RoboForm Editor'
+in the Windows start menu)
+and in the editor's main menu go 'Passcard' → 'Print List'
+(in newer versions you have to click the 'RoboForm' button and go
+'Print List' → 'Logins'). In the
+dialog that opens, click the 'Save' button. Choose a location and file name,
+and click 'Save'.
+
+
Open your KeePass 2.x database file and go 'File' → 'Import'.
+Choose 'RoboForm HTML' as format and select the HTML file you just exported,
+then click 'OK'.
+
+
+
+
+
+
+How to Import Data from Steganos Password Manager 2007
+
+
Warning! It is possible that the transfer fails and that KeePass accidently
+overwrites your existing passwords in Steganos Password Manager. Therefore, back up your
+SEF file before starting the import! In any case you should restore your passwords by
+restoring the backup you just created after the import process! Even if you think
+KeePass hasn't changed anything, restore from the backup!
+
+
Unfortunately Steganos Password Manager (SPM) lacks any form of export functionality. As the
+SEF file format (in which the data is stored) is proprietary and no specification
+is available, KeePass needs to try to get all the data out of the windows of
+SPM.
+
+
The import process works as follows. First you start SPM and open your password
+database. The main password management window should be open (i.e. the one which lists
+your items in the middle of the screen, and got toolbar-like buttons at the top). Make
+sure that all your items are displayed in the list (select the correct filter in
+the combobox above the item list).
+
+
Now switch to KeePass 2.x and open your KeePass database. Go File → Import and
+choose Steganos Password Manager 2007. Click [OK]. Now read the rest before continuing.
+
+
After pressing the [Yes] button in the KeePass import confirmation dialog, you got
+10 seconds to switch to the SPM window. Select the very first entry within the SPM window
+(but do not open it, just select it). This is important! The first entry must have the
+keyboard focus and must be selected.
+
+
When the 10 seconds are over, KeePass will start importing. You will see how
+KeePass opens the SPM items, copies the data, closes the item's window, select the
+next item, etc. Everything goes automatic now and you can just sit back and watch.
+Sometimes Windows playes a ding sound, this is normal.
+
+
Note that it can take quite some time to import your items. Do not do
+anything while KeePass is importing! One single mouse click or keypress can ruin the
+complete import process.
+
+
The last item will be scanned twice. When completed, KeePass will
+show a message "The import process has finished!".
+
+
It is possible that KeePass failed to import some items (mainly caused by SPM's
+unpredictable slow response times). It is highly recommended that you compare each of
+the entries.
In KeePass 2.x, there is an option 'Additionally export parent groups'
+in the export dialog.
+If this option is turned on, the parent groups of the selected groups/entries
+are exported, too (all up to the root group of the database).
+Unselected groups/entries in parent groups are not exported.
+
+
If the selected file format does not support groups, the option
+has no effect.
+When exporting the whole database (via 'File' → 'Export') or the
+root group, the option is disabled, because the root group has no parent
+group.
+
+
Properties of the parent groups (icons, notes, auto-type settings, etc.)
+are exported, if the selected file format supports them.
+When importing a file, the properties of the groups in the current database
+may be overwritten by the properties of the groups in the file
+(depending on the import mode and the last modification times).
+
+
Example.
+Assume that the user selects the entry 'Entry B' that is stored in
+the groups 'Group 1' → 'Group 1.2' of a database.
+
+
+
+
+
Root Group
+
+
Group 1
+
+
Group 1.1
+
+
Group 1.2
+
+
Group 2
+
+
+
+
Title
User Name
Password
URL
Notes
+
+
Entry A
Michael42
********
https://example.net/
None.
+
+
Entry B
+
Michael42
+
********
+
https://example.com/
+
None.
+
+
Entry C
Michael42
********
https://example.org/
None.
+
+
+
+
Exporting the selected entry (via 'Entry' → 'Data Exchange' →
+'Export Entry') to a KDBX database file without turning on the option results in:
+
+
+
+
+
Root Group
+
+
+
+
Title
User Name
Password
URL
Notes
+
+
Entry B
Michael42
********
https://example.com/
None.
+
+
+
+
In contrast, exporting the selected entry to a KDBX database file with
+the option turned on results in:
Today, you have to remember many passwords. You need a password for a lot of
+websites, your e-mail account, your webserver, network logins, etc.
+The list is endless.
+Also, you should use a different password for each account, because
+if you would use only one password everywhere and someone gets this password,
+you would have a problem: the thief would have access to all of your
+accounts.
+
+
KeePass is a free open source password manager, which helps you to manage
+your passwords in a secure way. You can store all your passwords in one
+database, which is locked with a
+master key. So you only have to remember one
+single master key to unlock the whole database. Database files are
+encrypted
+using the best and most secure encryption algorithms currently known
+(AES-256, ChaCha20 and Twofish).
+
+
The database consists of only one file, so it can be transferred
+easily from one computer to another.
+Data can also be imported/exported
+from/to various other formats
+(import from more than 40 different formats of other password managers,
+
+generic CSV importer,
+
+...). Of course, printing entries is supported, too.
+
+
KeePass supports groups, which allow you to organize your entries
+conveniently. For quickly locating specific entries, there are search
+functions.
+
+
There are various methods for transferring entry data (like user names
+and passwords) from KeePass to other applications
+(clipboard,
+drag&drop, etc.). The powerful
+auto-type feature can simulate keypresses.
+
+
KeePass has a strong password generator
+(you can define allowed characters, length, generation rules, ...).
+
+
The program features a plugin architecture. Plugins can add features
+in many areas (integration, transfer, backup, network, even more
+import/export formats, and much more).
+
+
As KeePass is open source,
+you can have a look at its full source code and check whether the security
+features are implemented correctly.
+
+
This documentation applies to
+
+
+
+KeePass 2.x.
+
+
To quickly switch back from an application to KeePass, you can use the
+global hot key that restores the KeePass main window.
+
+
If you have multiple instances of KeePass running, pressing the global hot
+key will restore the first instance that has been started.
+
+
The global hot key is Ctrl+Alt+K.
+
+
+
+
+
+
+The hot key can freely be changed to a different key combination
+(or disabled) in the 'Options' dialog, tab page 'Integration'.
+
+
+
+
+
+
+Limit to Single Instance Option
+
+
If you enable the 'Limit to Single Instance' option, at most one KeePass instance can
+be running at a time. If you try to start a second KeePass instance, it is
+immediately terminated, and the first instance is brought to
+the foreground.
+
+
+
+
+
+
+KeePass 2.x can open multiple databases in one instance/window (a tab bar appears,
+which allows you to conveniently switch between the databases).
+
+When multiple databases are opened in one instance and you press the
+global auto-type hot key, auto-type searches in all opened databases for
+matching entries. Note that only exactly one KeePass instance can register
+the global hot key; so when you disable the single instance option and
+open databases in different instances, only the first instance searches
+for matching entries when global auto-type is invoked, not the others.
+
+
+
+
diff --git a/src/Docs/Chm/help/base/keys.html b/src/Docs/Chm/help/base/keys.html
new file mode 100644
index 0000000..af79f3e
--- /dev/null
+++ b/src/Docs/Chm/help/base/keys.html
@@ -0,0 +1,355 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Master Key - KeePass
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Your KeePass database file is encrypted using a master key.
+This master key can consist of multiple components:
+a master password, a key file and/or a key that is protected
+using the current Windows user account.
+
+
For opening a database file, all components of the
+master key are required.
+
+
If you forget/lose any of the master key components (or forget the
+composition), all data stored in the database is lost.
+There is no backdoor and no universal key that can open your database.
+
+
+
+
+
+Master Password
+
+
If you use a master password, you only have to remember one password or
+passphrase (which should be good!) to open your database.
+
+
KeePass features a protection against brute-force and dictionary attacks;
+see the security help page
+for details.
+
+
+
+
+
+Key File
+
+
A key file is a file that contains a key (and possibly additional data,
+e.g. a hash that allows to verify the integrity of the key).
+The file extension typically is 'keyx' or 'key'.
+
+
A key file must not be modified, otherwise you cannot open your database
+anymore. If you want to use a different key file, open the dialog for
+changing the master key (via 'File' → 'Change Master Key')
+and create/select the new key file.
+
+
Two-factor protection.
+A key file is something that you must have in order to be able
+to open the database
+(in contrast to a master password, which you must know).
+If you use both a key file and a master password, you have a two-factor
+protection: possession and knowledge.
+
+
Location.
+As mentioned above, the idea of a key file is that you have
+something. If an attacker obtains both your database file and your
+key file, then the key file provides no protection.
+Therefore, the two files must be stored in different locations.
+For example, you could store the key file on a separate USB stick.
+
+
Hiding the location.
+The key file content must be kept secret, not its location
+(file path/name).
+Trying to hide the key file (e.g. by storing it among
+a thousand other files, in the hope that an attacker does not know which
+file is the correct one) typically does not increase the security, because
+it is easy to find out the correct file (e.g. by inspecting the last access
+times of files, lists of recently used files of the operating system,
+file system auditing logs, anti-virus software logs, etc.).
+KeePass has an option for remembering the paths of key files,
+which is turned on by default; turning it off typically just decreases
+the usability without increasing the security.
+
+
Backup.
+You should create a backup of your key file (onto an independent data
+storage device).
+If your key file is an XML file (which is the default), you can also create
+a backup on paper (KeePass 2.x provides a command for printing a key file
+backup in the menu 'File' → 'Print').
+In any case, the backup should be stored in a secure location, where only
+you and possibly a few other people that you trust have access to.
+More details about backing up a key file can be found in the
+ABP FAQ.
+
+
Formats.
+KeePass supports the following key file formats:
+
+
XML (recommended, default).
+There is an XML format for key files.
+KeePass 2.x uses this format by default, i.e. when creating a key file
+in the master key dialog, an XML key file is created.
+The syntax and the semantics of the XML format allow to detect certain
+corruptions (especially such caused by faulty hardware or transfer problems),
+and a hash (in XML key files version 2.0 or higher) allows to
+verify the integrity of the key.
+This format is resistant to most encoding and new-line character changes
+(which is useful for instance when the user is opening and saving the
+key file or when transferring it from/to a server).
+Such a key file can be printed (as a backup on paper),
+and comments can be added in the file (with the usual XML syntax:
+<!-- ... -->).
+It is the most flexible format; new features can be added easily
+in the future.
+
+
32 bytes.
+If the key file contains exactly 32 bytes, these are used as
+a 256-bit cryptographic key.
+This format requires the least disk space.
+
+
Hexadecimal.
+If the key file contains exactly 64 hexadecimal characters
+(0-9 and A-F, in UTF-8/ASCII encoding, one line, no spaces),
+these are decoded to a 256-bit cryptographic key.
+
+
Hashed.
+If a key file does not match any of the formats above,
+its content is hashed using a cryptographic hash function
+in order to build a key (typically a 256-bit key with SHA-256).
+This allows to use arbitrary files as key files.
+
+
+
Reuse.
+You can use one key file for multiple database files.
+This can be convenient, but please keep in mind that when an
+attacker obtains your key file, you have to change the master keys
+of all database files protected with this key file.
+
+
+
+
+
+
+In order to reuse an existing key file, click on the 'Browse' button
+in the master key creation dialog.
+
+
+
+
+
+
+Windows User Account
+
+
+
+
+
+
+
+
+KeePass can make the database dependent on the current Windows user
+account. If you enable this option, you can only open the database when
+you are logged in as the same Windows user when creating the database.
+
+
+Be very careful with using this option. If your Windows user account
+gets deleted, you won't be able to open your KeePass database anymore.
+Also, when using this option at home and your computer breaks (hard disk
+damaged), it is not
+enough to just create a new Windows account on the new installation with the
+same name and password;
+you need to copy the complete account (i.e. SID, ...). This is not
+a simple task, so if you don't know how to do this, it is highly recommended
+that you don't enable this option.
+Detailed instructions how to recover a Windows user account can be found here:
+Recover Windows User Account Credentials
+(a short technical tutorial can be found in a Microsoft TechNet article:
+
+How to recover a Vault corrupted by lost DPAPI keys).
+
+You can change the password of the Windows user account freely;
+this does not affect the KeePass database.
+Note that changing the password (e.g. a user using the Control Panel
+or pressing Ctrl+Alt+Del
+and selecting 'Change Password') and
+resetting it to a new one (e.g. an administrator using a
+NET USER <User><NewPassword>
+command) are two different things.
+After changing your password, you can still open your KeePass database.
+When resetting the password to a new one, access usually is not possible
+anymore (because the user's DPAPI keys are lost), but there are exceptions
+(for example when the user is in a domain, Windows can retrieve the user's DPAPI keys
+from a domain controller, or a home user can use a previously created
+Password Reset Disk).
+Details can be found in the MSDN article
+
+Windows Data Protection and in the support article
+
+
+How to troubleshoot the Data Protection API (DPAPI).
+
+If you decide to use this option, it is highly recommended not to rely
+on it exclusively, but to additionally use one of the other two options (password
+or key file).
+
+Protection using user accounts is unsupported on Windows 98 / ME.
+
+
+
+
+
+
+For Administrators: Specifying Minimum Properties of Master Keys
+
+
Administrators can specify a minimum length
+and/or the minimum estimated quality that master passwords must have in
+order to be accepted. You can tell KeePass
+to check these two minimum requirements by adding/editing
+appropriate definitions in the
+INI/XML configuration file.
+
+
+
+
+
+
+The value of the
+Security/MasterPassword/MinimumLength node specifies
+the minimum master password length (in characters). For example, by setting
+it to 10, KeePass will only accept
+master passwords that consist of at least 10 characters.
+
+The value of the
+Security/MasterPassword/MinimumQuality node specifies
+the minimum estimated quality (in bits) that master passwords must have.
+For example, by setting it to 80, only master passwords
+with an estimated quality of at least 80 bits will be accepted.
+
+The Security/MasterKeyExpiryRec node can be set to an
+XSD date or an XSD duration (see
+XSD Date and Time Data Types).
+If the master key has not been changed since the specified date or
+if the time span between now and the last master key change exceeds
+the specified duration, KeePass recommends to change it.
+This setting applies to all databases that are opened with this
+KeePass instance; a master key expiry can also be configured for
+each database individually (in 'File' → 'Database Settings' →
+tab 'Advanced').
+
+By specifying KeyCreationFlags and/or KeyPromptFlags
+(in the UI node), you can force states (enabled, disabled,
+checked, unchecked) of key source controls in the master key creation and
+prompt dialogs. These values can be bitwise combinations of one or more of
+the following flags:
+
+
+
Flag (Hex)
Flag (Dec)
+
Description
+
0x0
0
+
Don't force any states (default).
+
0x1
1
+
Enable password.
+
0x2
2
+
Enable key file.
+
0x4
4
+
Enable user account.
+
0x8
8
+
Enable 'hide password' button.
+
0x100
256
+
Disable password.
+
0x200
512
+
Disable key file.
+
0x400
1024
+
Disable user account.
+
0x800
2048
+
Disable 'hide password' button.
+
0x10000
65536
+
Check password.
+
0x20000
131072
+
Check key file.
+
0x40000
262144
+
Check user account.
+
0x80000
524288
+
Check 'hide password' option/button.
+
0x1000000
16777216
+
Uncheck password.
+
0x2000000
33554432
+
Uncheck key file.
+
0x4000000
67108864
+
Uncheck user account.
+
0x8000000
134217728
+
Uncheck 'hide password' option/button.
+
+
+
+The values of KeyCreationFlags and KeyPromptFlags
+must be specified in decimal notation.
+
+For example, if you want to enforce using the user account option, you could
+check and disable the control (such that the user can't uncheck it anymore)
+by specifying 263168 as value (0x40000 + 0x400 = 0x40400 = 263168).
+
+
+
+
diff --git a/src/Docs/Chm/help/base/license_lgpl.html b/src/Docs/Chm/help/base/license_lgpl.html
new file mode 100644
index 0000000..6a14c2d
--- /dev/null
+++ b/src/Docs/Chm/help/base/license_lgpl.html
@@ -0,0 +1,551 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LGPL License - KeePass
+
+
+
+
+
+
+
+
+
+
+
+
+
LGPL License
+
GNU Lesser General Public License.
+
+
+
+
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL. It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+ This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+ When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+ To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+ For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+
+ We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+ To protect each distributor, we want to make it very clear that
+there is no warranty for the free library. Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+ Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+ Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+ When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+ We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+
+ For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard. To achieve this, non-free programs must be
+allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+ In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+ Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+ The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+ GNU LESSER GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+ A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+ The "Library", below, refers to any such software library or work
+which has been distributed under these terms. A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language. (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+ "Source code" for a work means the preferred form of the work for
+making modifications to it. For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+ Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it). Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+ 1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+ You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+ 2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) The modified work must itself be a software library.
+
+ b) You must cause the files modified to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ c) You must cause the whole of the work to be licensed at no
+ charge to all third parties under the terms of this License.
+
+ d) If a facility in the modified Library refers to a function or a
+ table of data to be supplied by an application program that uses
+ the facility, other than as an argument passed when the facility
+ is invoked, then you must make a good faith effort to ensure that,
+ in the event an application does not supply such function or
+ table, the facility still operates, and performs whatever part of
+ its purpose remains meaningful.
+
+ (For example, a function in a library to compute square roots has
+ a purpose that is entirely well-defined independent of the
+ application. Therefore, Subsection 2d requires that any
+ application-supplied function or table used by this function must
+ be optional: if the application does not supply it, the square
+ root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library. To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License. (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.) Do not make any other change in
+these notices.
+
+ Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+ This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+ 4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+ If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library". Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+ However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library". The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+ When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library. The
+threshold for this to be true is not precisely defined by law.
+
+ If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work. (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+ Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+ 6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+ You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License. You must supply a copy of this License. If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License. Also, you must do one
+of these things:
+
+ a) Accompany the work with the complete corresponding
+ machine-readable source code for the Library including whatever
+ changes were used in the work (which must be distributed under
+ Sections 1 and 2 above); and, if the work is an executable linked
+ with the Library, with the complete machine-readable "work that
+ uses the Library", as object code and/or source code, so that the
+ user can modify the Library and then relink to produce a modified
+ executable containing the modified Library. (It is understood
+ that the user who changes the contents of definitions files in the
+ Library will not necessarily be able to recompile the application
+ to use the modified definitions.)
+
+ b) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (1) uses at run time a
+ copy of the library already present on the user's computer system,
+ rather than copying library functions into the executable, and (2)
+ will operate properly with a modified version of the library, if
+ the user installs one, as long as the modified version is
+ interface-compatible with the version that the work was made with.
+
+ c) Accompany the work with a written offer, valid for at
+ least three years, to give the same user the materials
+ specified in Subsection 6a, above, for a charge no more
+ than the cost of performing this distribution.
+
+ d) If distribution of the work is made by offering access to copy
+ from a designated place, offer equivalent access to copy the above
+ specified materials from the same place.
+
+ e) Verify that the user has already received a copy of these
+ materials or that you have already sent this user a copy.
+
+ For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it. However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+ It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system. Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+ 7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+ a) Accompany the combined library with a copy of the same work
+ based on the Library, uncombined with any other library
+ facilities. This must be distributed under the terms of the
+ Sections above.
+
+ b) Give prominent notice with the combined library of the fact
+ that part of it is a work based on the Library, and explaining
+ where to find the accompanying uncombined form of the same work.
+
+ 8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License. Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License. However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+ 9. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Library or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+ 10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+ 11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all. For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded. In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+ 13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+ 14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission. For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this. Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+ NO WARRANTY
+
+ 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Libraries
+
+ If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change. You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+ To apply these terms, attach the following notices to the library. It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the library's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the
+ library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+ <signature of Ty Coon>, 1 April 1990
+ Ty Coon, President of Vice
+
+That's all there is to it!
+
Both KeePass 1.x and 2.x allow multiple users working with one database,
+which is typically stored on a shared network drive or a file server.
+
+
All users use the same master password and/or key file to open the
+database. There are no per-group or per-entry access control lists (ACLs).
+
+
In order to restrict write access to the database file (i.e. only a select
+set of users may change the stored data), use file system access rights.
+
+
+
+
+
+KeePass 1.x: Office-Style Locking
+
+
+
+
+
+With KeePass 1.x, a database can be stored on a shared network drive and used by multiple
+users. When a user tries to open a database that is already opened by
+someone else, a prompt asks whether to open the database in read-only
+or normal mode (see image on the right).
+
+By opening a database in normal mode, the current user takes ownership
+of the file (i.e. subsequent opening attempts will show the current user
+as owner).
+
+KeePass 1.x does not provide synchronization, i.e. by saving the database you
+are saving your current data to disk. If another user has changed an entry
+in the meanwhile (i.e. since you loaded the database), these changes are overwritten.
+
+
+
+
+
+
If you want to use KeePass 1.x with a database on a shared network drive, it
+is recommended to let an administrator write to the database and let
+users only read it (ensure this using file system access rights).
+By using the -readonly command line switch,
+KeePass will automatically open
+a given database in read-only mode (i.e. not show the mode prompt). Users
+would open the database using a shortcut that contains this command line
+switch.
+
+
If there is no central administrator managing the database, users need to
+be careful to not overwrite each others changes.
+
+
+
+
+
+KeePass 2.x: Synchronize or Overwrite
+
+
+
+
+
+With KeePass 2.x, a database can be stored on a shared network drive and used by multiple
+users. When attempting to save, KeePass first checks whether the file on disk has been
+modified since it was loaded. If yes, KeePass asks whether to synchronize or
+overwrite the file (see image on the right).
+
+By synchronizing, changes made by other users (file on disk)
+and changes made by the current user are merged.
+After the synchronization process has finished,
+the current user also sees the changes made by others (i.e. the data in the
+current KeePass instance is up-to-date).
+
+If there is a conflict (multiple users edited the same
+entry), KeePass uses the latest version of the entry based on the last
+modification time.
+
+
+
+
+
+
Note: the synchronize prompt is only triggered by the 'Save' command,
+not by the 'Save As' command. When executing the 'Save As' command and
+manually selecting a file, this file will always be overwritten.
KeePass uses the abbreviation "Spr" for "String placeholder replacement".
+An Spr-compiled field is a field where placeholders are replaced
+when performing an action with this field (like copying it to the
+clipboard, sending it using auto-type, etc.).
+
+
References in a field to (parts of) the field itself are
+unsupported. For example, the {URL:HOST} placeholder
+cannot be used in the URL field (but it can be used in the
+'Override URL' field).
+
+
+
+
+
+Entry Field Placeholders
+
+
+
+
+
+
Placeholder
Field
+
{TITLE}
Title
+
{USERNAME}
User name
+
{URL}
URL
+
{PASSWORD}
Password
+
{NOTES}
Notes
+
+
+
+
+
+Custom strings can be referenced using {S:Name}.
+For example, if you have a custom string named "eMail",
+you can use the placeholder {S:eMail}.
+
+
+
+
+
+
+
+
+
+
Placeholder
Is Replaced By
+
{URL:RMVSCM}
Entry URL without scheme name.
+
{URL:SCM}
Scheme name of the entry URL.
+
{URL:HOST}
Host component of the entry URL.
+
{URL:PORT}
Port number of the entry URL.
+
{URL:PATH}
Path component of the entry URL.
+
{URL:QUERY}
Query information of the entry URL.
+
{URL:USERINFO}
User information of the entry URL.
+
{URL:USERNAME}
User name of the entry URL.
+
{URL:PASSWORD}
Password of the entry URL.
+
{UUID}
UUID of the entry (32 hexadecimal characters).
+
+
+An example for the {URL:...} placeholders can be found below.
+
+
+
+
+
+
+Entry Field References
+
+
Fields of other entries can be inserted using
+Field References.
+
+
+
+
+
+Paths and Date/Time Placeholders
+
+
+
+
+
+
Placeholder
Is Replaced By
+
{EDGE}
Path to Microsoft Edge, if installed.
+
{FIREFOX}
Path to Mozilla Firefox, if installed.
+
{GOOGLECHROME}
Path to Google Chrome (or Chromium
+on Unix-like systems), if installed.
+
{INTERNETEXPLORER}
Path to Internet Explorer, if installed.
+
{OPERA}
Path to Opera, if installed.
+
{SAFARI}
Path to Safari, if installed.
+
+
+
+
+
+
+
+
+
Placeholder
Is Replaced By
+
{APPDIR}
KeePass application directory path.
+
+
+
+
+
+
+
+
Placeholder
Is Replaced By
+
{GROUP}
Name of the entry's parent group.
+
{GROUP_PATH}
Full path of the entry's parent group.
+
{GROUP_NOTES}
Notes of the entry's parent group.
+
{GROUP_SEL}
Name of the group that is currently selected in the main window.
+
{GROUP_SEL_PATH}
Full path of the group that is currently selected in the main window.
+
{GROUP_SEL_NOTES}
Notes of the group that is currently selected in the main window.
+
{DB_PATH}
Full path of the current database.
+
{DB_DIR}
Directory of the current database.
+
{DB_NAME}
File name (including extension) of the current database.
+
{DB_BASENAME}
File name (excluding extension) of the current database.
+
{DB_EXT}
File name extension of the current database.
+
{ENV_DIRSEP}
Directory separator ('\' on Windows, '/' on Unix).
+
{ENV_PROGRAMFILES_X86}
This is
+%ProgramFiles(x86)%, if it exists, otherwise %ProgramFiles%.
+
+
+
+
+
+
+
+
Placeholder
Is Replaced By
+
{DT_SIMPLE}
Current local date/time as a simple,
+sortable string. For example, for 2012-07-25 17:05:34 the value is 20120725170534.
+
{DT_YEAR}
Year component of the current local date/time.
+
{DT_MONTH}
Month component of the current local date/time.
+
{DT_DAY}
Day component of the current local date/time.
+
{DT_HOUR}
Hour component of the current local date/time.
+
{DT_MINUTE}
Minute component of the current local date/time.
+
{DT_SECOND}
Second component of the current local date/time.
+
{DT_UTC_SIMPLE}
Current UTC date/time as a simple, sortable string.
+
{DT_UTC_YEAR}
Year component of the current UTC date/time.
+
{DT_UTC_MONTH}
Month component of the current UTC date/time.
+
{DT_UTC_DAY}
Day component of the current UTC date/time.
+
{DT_UTC_HOUR}
Hour component of the current UTC date/time.
+
{DT_UTC_MINUTE}
Minute component of the current UTC date/time.
+
{DT_UTC_SECOND}
Second component of the current UTC date/time.
+
+
+
+
+
+
+Environment Variables
+
+
System environment variables are supported.
+The name of the variable must be enclosed in '%' characters.
+For example %TEMP% is replaced by the user's temporary path.
+
+
+
+
+
+Text Transformations
+
+
+
+
+
+
+
Placeholder
Action
+
{T-REPLACE-RX:/Text/Search/Replace/}
+
Searches the regular expression Search in Text
+and replaces all matches by Replace.
+See below.
+
+
+
+{T-REPLACE-RX:/Text/Search/Replace/} – Replace
+Using Regular Expression:
+This placeholder searches the
+
+regular expressionSearch in Text
+and replaces all matches by Replace.
+
+All parameters are Spr-compiled, i.e. placeholders can be used within them.
+
+The first character after the first ':' specifies the
+separator character. Any character except '}' can be used as separator
+character.
+It must not appear within the parameters.
+For example,
+{T-REPLACE-RX:/A/B/C/} and
+{T-REPLACE-RX:!A!B!C!} are equivalent.
+The last separator character (before the '}') is required.
+
+Usage example.
+Let the user name field contain the e-mail address 'myname@example.com' and
+the URL field '{T-REPLACE-RX:!{USERNAME}!.*@(.*)!https://$1!}'.
+When running the URL field, KeePass opens
+'https://example.com'.
+
+
+
+
+
+
+{T-CONV:/Text/Type/} – Convert:
+This placeholder converts Text to Type.
+
+All parameters are Spr-compiled, i.e. placeholders can be used within them.
+
+Supported types are:
+
+
Upper or U:
+Upper-case.
+
Lower or L:
+Lower-case.
+Example.
+Let the user name of an entry be 'Bob' and
+the URL 'https://example.com/?user={T-CONV:/{USERNAME}/L/}'.
+When running the URL, KeePass opens
+'https://example.com/?user=bob'.
+
Base64:
+The Base64 encoding of the UTF-8 representation of the text.
+
Hex:
+The Hex encoding of the UTF-8 representation of the text.
+
Uri:
+The URI-escaped representation of the text.
+
Uri-Dec:
+The URI-unescaped representation of the text.
+
Raw:
+Spr-compiles Text without encoding the result for the current context.
+Example.
+Let the user name of an entry be '+'.
+The auto-type sequence '{USERNAME}a' results in the text
+'+a', whereas the auto-type sequence
+'{T-CONV:/{USERNAME}/Raw/}a' results in the text
+'A'
+(because this placeholder inserts '+' into the auto-type
+sequence without encoding it, and
+'+a' means to press Shift+A,
+which results in the text 'A').
+
+
+
+
+
+
+
+Other Placeholders
+
+
+
+
+
+
+
Placeholder
Action
+
{PICKCHARS}
+{PICKCHARS:Fld:Opt}
Shows a dialog to pick certain characters from an entry string.
+See below.
+
{PICKFIELD}
Shows a dialog to pick a field
+whose value will be inserted.
+
+
+
+{PICKCHARS} – Picking Characters:
+
+The {PICKCHARS} placeholder shows a dialog, in which you can
+pick characters of an entry string (like the password) at certain positions.
+
+{PICKCHARS} without any parameters lets you pick an arbitrary
+amount of characters from the password of the entry.
+A different entry string can be specified by appending a ':'
+and the name of the field; e.g. {PICKCHARS:UserName}.
+The names of the standard fields are Title, UserName (without a space),
+Password, URL and Notes. A custom entry string can
+be referenced by its name (without an S: prefix).
+
+Additionally, the placeholder supports various (optional!) options. Options are appended
+after the field name, separated by a ':'. If you want to specify
+multiple options, separate them by a comma ','. Options are
+key-value pairs, separated by a '='. The following options
+are supported:
+
+
ID: Specifies an alphanumeric ID for the placeholder (see below).
+
C or Count: Specifies the number of characters to pick from
+the string. When enough characters have been picked,
+the dialog closes automatically (i.e. you don't need to manually click [OK]
+anymore).
+
Hide: If set to False, the picked characters in the dialog
+are shown as plain text by default, i.e. not hidden by asterisks.
+By default, KeePass uses the hiding setting of passwords in the main window.
+
Conv: Specifies how to convert the picked characters.
+When this parameter is omitted, no conversion is performed, i.e. the selected
+characters are auto-typed directly. The option supports the following values:
+
+
D: Convert the picked characters to down arrow keypresses; e.g.
+'2', 'c' and 'C' are converted to 2 down arrow keypresses.
+
+A fixed number of
+down arrow keypresses can be added by specifying them using the Conv-Offset
+option. For example, if you specify Conv=D, Conv-Offset=1,
+then '2', 'c' and 'C' are converted to 3 down arrow keypresses.
+
+By using the Conv-Fmt option, you can specify the layout of comboboxes.
+By default, KeePass assumes a combobox containing values from 0 to 9 or from A to Z.
+If the combobox contains values 0-9A-Z (i.e. first all ten digits, immediately followed
+by all characters from A to Z), specify Conv=D, Conv-Fmt=0A.
+Similarly, if it contains values A-Z0-9, specify Conv=D, Conv-Fmt=A0.
+If digits start with 1 instead of 0 (i.e. the 0 appears after the 9), use
+1A and A1 instead of 0A and A0.
+If the combobox contains values 0-9A-Za-z (i.e. case-sensitive characters),
+specify 0Aa. All combinations of '0', 'A',
+'a' and '?' are supported.
+If 'A' and 'a' are not specified both,
+characters are treated as case-insensitive.
+'?' skips a combobox item.
+
+
+If you want to show the character picking dialog multiple times within one sequence,
+assign different IDs to the placeholders.
+If an ID is specified multiple times (or no ID is specified
+and the placeholders are the same),
+KeePass shows the character picking dialog once and reuses the picked characters
+in all following placeholders with the same ID.
+
+Usage examples:
+
+{USERNAME}{TAB}{PICKCHARS:Password:C=5}{ENTER}
+First a dialog is shown in which the user can pick exactly 5 characters
+from the entry password.
+Afterwards KeePass types the user name into the target window, presses
+Tab, types the 5 picked characters and presses
+Enter.
+
+
+{S:Memorable}{TAB}{PICKCHARS:Password:ID=1, C=1, Conv=D,
+Conv-Offset=1}{TAB}{PICKCHARS:Password:ID=2, C=1, Conv=D,
+Conv-Offset=1}{TAB}{PICKCHARS:Password:ID=3, C=1, Conv=D,
+Conv-Offset=1}{ENTER}
+First the character picking dialog is shown three times and each time the user
+can pick exactly one character from the entry password.
+Afterwards the auto-type process starts:
+KeePass types the contents of a custom entry string named "Memorable"
+into the target window.
+The focus is switched to the next control by pressing Tab,
+and the first previously picked character is converted to
+down arrow keypresses (with one additional keypress; e.g. a '1' is converted
+to two down arrow keypresses).
+This is repeated two more times with the other picked characters,
+and finally Enter is pressed.
+
+Note this is not equivalent to picking three characters at once.
+If you'd use {S:Memorable}{TAB}{PICKCHARS:Password:C=3, Conv=D, Conv-Offset=1},
+all the down arrow keypresses are sent to the same, currently active control.
+
+In some browsers (e.g. Opera), setting the focus to a combobox can
+be slow. If you experience auto-type failures, consider slowing down
+the focus changes, e.g. by adding {DELAY 250} after each {TAB},
+or slowing down the whole sequence, e.g. by prepending {DELAY=150}.
+
+
+
+
+
+
+{NEWPASSWORD} and {NEWPASSWORD:/Profile/}
+– Generating New Passwords:
+The {NEWPASSWORD} placeholder
+generates a new password for the current entry, based on the 'Automatically
+generated passwords for new entries' generator profile.
+
+This placeholder is evaluated only once in an auto-type process, i.e.
+for a typical 'Old Password' - 'New Password' - 'Repeat New Password'
+dialog you can use
+{PASSWORD}{TAB}{NEWPASSWORD}{TAB}{NEWPASSWORD}{ENTER}
+as auto-type sequence.
+
+In order to use a different password generator profile, use
+{NEWPASSWORD:/Profile/}, where Profile
+is the name of the profile.
+If the specified profile cannot be found, the
+'Automatically generated passwords for new entries' profile is used.
+
+When specifying '~' as name of the profile
+(i.e. when using the placeholder {NEWPASSWORD:/~/}), KeePass derives
+a profile from the current entry password.
+Not recommended, as the quality can decay.
+
+
+
+
+
+
+{PASSWORD_ENC} – Encrypting Passwords:
+The {PASSWORD_ENC} placeholder is replaced by the password
+of the current entry in encrypted form. The password is encrypted using
+credentials of the current Windows user. The encrypted password should
+not be stored and only works for the current user.
+
+It is intended to be used in conjunction with the
+-pw-enccommand line parameter
+(see the URL Field page for
+an example how to define a URL to open an additional KeePass database).
+The placeholder cannot be used to transfer passwords to other applications
+(except KeePass), because the target applications don't know how to decrypt
+encrypted passwords generated by {PASSWORD_ENC}.
+
+
+
+
+
+
+
+One-Time Passwords (OTPs):
+KeePass provides menu commands in the main window for generating one-time
+passwords ('Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP',
+'Show Time-Based OTP').
+Furthermore, one-time passwords can be generated during
+auto-type using the {HMACOTP} and
+{TIMEOTP} placeholders.
+
+
The parameters for the OTP generation are stored as entry strings and
+can be edited conveniently using the 'OTP Generator Settings' dialog
+(which checks the entered values, shows a preview, etc.).
+Alternatively, you can edit the entry strings directly, as documented below.
+
+
{HMACOTP} – Generating HMAC-Based One-Time Passwords:
+The {HMACOTP} placeholder generates an HMAC-based one-time
+password (HOTP) according to RFC 4226.
+
+
The shared secret and other parameters can be specified using the
+following entry string fields (which can be added/edited in the entry
+dialog on the 'Advanced' tab page):
+
+
HmacOtp-Secret
+HmacOtp-Secret-Hex
+HmacOtp-Secret-Base32
+HmacOtp-Secret-Base64
+Exactly one of these fields must be present, and its value must be set
+to the shared secret in the corresponding encoding.
+In the first case ('HmacOtp-Secret'), the UTF-8 encoding of the
+value is used as shared secret.
+
+
HmacOtp-Counter (automatic)
+This field stores the counter value in decimal representation.
+The default value is 0.
+When the {HMACOTP} placeholder is replaced (i.e. when generating
+a one-time password), KeePass updates the counter value automatically.
+
+
+
{TIMEOTP} – Generating Time-Based One-Time Passwords:
+The {TIMEOTP} placeholder generates a time-based one-time
+password (TOTP) according to RFC 6238.
+
+
The shared secret and other parameters can be specified using the
+following entry string fields (which can be added/edited in the entry
+dialog on the 'Advanced' tab page):
+
+
TimeOtp-Secret
+TimeOtp-Secret-Hex
+TimeOtp-Secret-Base32 (most common)
+TimeOtp-Secret-Base64
+Exactly one of these fields must be present, and its value must be set
+to the shared secret in the corresponding encoding.
+In the first case ('TimeOtp-Secret'), the UTF-8 encoding of the
+value is used as shared secret.
+Most services use the Base32 encoding.
+
+
TimeOtp-Length (optional)
+Specifies the length of the generated one-time password.
+The default value is 6; the maximum is 8.
+
+
TimeOtp-Period (optional)
+Specifies the time-step size in seconds.
+The default value is 30.
+
+
TimeOtp-Algorithm (optional)
+Specifies the cryptographic algorithm used for the generation
+of the one-time password. The following algorithms are supported:
+
+
HMAC-SHA-1
+
HMAC-SHA-256
+
HMAC-SHA-512
+
+The default value is HMAC-SHA-1.
+
+
+
The date and the time of your system must be correct, otherwise
+the service/server may reject the generated OTP.
+
+
Usage example.
+Create a new entry and change its default auto-type sequence to
+{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 3000}{HMACOTP}{ENTER}.
+Open the 'OTP Generator Settings' dialog, set the shared secret
+for HMAC-based OTPs to '12345678901234567890' and select the UTF-8 encoding.
+When performing auto-type, KeePass sends the user name, presses
+Tab, sends the password, presses Enter,
+waits 3 seconds, generates and sends a HMAC-based OTP and finally presses
+Enter again.
+The counter value for the OTP generation is updated automatically.
+With the shared secret above and initial counter value 0, the following
+OTPs are generated: 755224, 287082, 359152, 969429, 338314, ...
+(more generated OTPs can be found in the example in RFC 4226).
+
+Plugins.
+There are plugins
+that add support for non-standard OTPs (e.g. Steam) and
+provide additional functions related to OTPs.
+
+
+
+
+
+
+{URL:...} and {BASE:...}:
+The {URL:...} placeholder is replaced by the specified part
+of the current entry's URL; this typically is useful in an
+entry-specific URL override (defined on the 'Properties' tab of the entry dialog).
+The {BASE:...} placeholder is replaced by the specified part
+of the URL being overridden; this typically is useful in a
+global URL override (defined in 'Tools' → 'Options' → tab 'Integration' →
+button 'URL Overrides'), because there no entry context may be available.
+
+Usage example. For the entry URL
+https://user:pw@keepass.info:80/path/example.php?q=e&s=t,
+the placeholders return the following values:
+
+
+
+{BASE} supports exactly the same parts as {URL}.
+
+
+
+
+
+
+{CMD:/CommandLine/Options/} – Running a command line:
+The {CMD:/CommandLine/Options/} placeholder
+runs the specified command line.
+
+A command line consists of a path to an executable file or a document
+and command line parameters.
+If the path contains spaces, it must be enclosed in quotes (").
+
+The character after the first ':' specifies the separator
+character. It can be chosen freely (except '{' and '}'),
+but it must not occur in the command line or any of the options.
+For example, {CMD:/Notepad.exe/W=0/} and
+{CMD:!Notepad.exe!W=0!} are equivalent.
+The separator character at the end (before the '}') is mandatory.
+
+An option is a key-value pair, separated by '='.
+Multiple options must be separated using commas ','.
+
+Options:
+
+
M:
+Specifies the method for running/opening the executable/document.
+The default value is S.
+
+
S:
+Use the system shell (via ShellExecute).
+With this, executable files are executed and documents are opened
+using their associated applications.
+However, no standard input/output is supported.
+
C:
+Run an executable file (EXE or COM, via CreateProcess);
+documents are not supported.
+Standard input/output is supported.
+
+
+
+
O:
+Specifies what to do with the standard output of the executed application.
+The default value is 1.
+
+
0:
+Ignore the standard output. The placeholder is replaced by an empty string.
+
1:
+Replace the placeholder by the standard output.
+
+
+
+
W:
+Specifies whether to wait for the termination of the executed application.
+The default value is 1.
+
+
0:
+Do not wait.
+
1:
+Wait.
+
+
+
+
WS:
+Specifies the window style. Not all applications support this option.
+The default value is N.
+
+
N:
+Normal.
+
H:
+Hidden.
+
Min:
+Minimized.
+
Max:
+Maximized.
+
+
+
+
V:
+Specifies the verb (action to be performed),
+e.g. 'Open' or 'Print'.
+When using the verb 'RunAs', the application is executed with administrative
+rights (this may require a confirmation via the UAC dialog).
+
+
+
New-line characters at the end of the output are removed (analogous to
+'$(...)' and '`...`' shell command substitutions).
+
+Usage examples:
+
+
{CMD:/Notepad.exe/W=0/}
+Runs Notepad and continues immediately.
+
{CMD:/PowerShell.exe -Command "(Get-FileHash '%SYSTEMROOT%\Win.ini'
+-Algorithm SHA256).Hash"/M=C,WS=H/}
+The placeholder is replaced by the SHA-256 hash of Windows' Win.ini file.
This password generation method is the recommended way to generate random passwords.
+Other methods (pattern-based generation, ...) should only be used if passwords must
+follow special rules or fulfill certain conditions.
+
+
Generation based on a character set is very simple. You simply let KeePass know
+which characters can be used (e.g. upper-case letters, digits, ...) and KeePass will
+randomly pick characters out of the set.
+
+
Defining a character set:
+The character set can be defined directly in the password generator window. For convenience,
+KeePass offers adding commonly used ranges of characters to the set. This is done by
+ticking the appropriate check box. Additionally to these predefined character ranges, you
+can specify characters manually: all characters that you enter in the 'Also include the
+following characters' text box will be directly added to the character set.
+
+
The characters that you enter in the 'Also include the following characters'
+text box are included in the character set from which the password generator randomly
+chooses characters from.
+This means that these additional characters are allowed to appear in the
+generated passwords, but they are not forced to.
+If you want to force that some characters appear in the generated passwords,
+you have to use the pattern-based generation.
+
+
Character sets are sets:
+In mathematical terms, character sets are sets, not vectors. This means that characters
+cannot be added twice to the set. Either a character is in the set or it is not.
+
+
For example, if you enter 'AAAAB' into the additional characters box, this is
+exactly the same set as 'AB'. 'A' will not be 4 times as likely as 'B'!
+If you need to follow rules like 'character A is more likely than B', you must
+use pattern-based generation + permuting password characters.
+
+
KeePass will 'optimize' your character set by removing all duplicate characters. If
+you'd enter the character set 'AAAAB' into the additional characters box,
+close and reopen the password generator, it'll show the shorter character set 'AB'.
+Similarly, if you tick the 'Digits' check box and enter '3' into the
+additional box, the '3' will be ignored because it is already included in the
+'Digits' character range.
+
+
Supported characters:
+All Unicode
+characters in the ranges [U+0001, U+D7FF] and [U+E000, U+FFFF]
+except { U+0009 / '\t', U+000A / '\n', U+000D / '\r' } are supported.
+Characters in the range [U+010000, U+10FFFF] (which need to be encoded
+in UTF-16 using surrogate pairs from [0xD800, 0xDFFF]) are not supported.
+Subsequent processing of passwords may have further limitations
+(for example, the character U+FFFF is forbidden in XML/KDBX files
+and will be replaced or removed).
+
+
+
+
+
+Generation Based on Patterns
+
+
The password generator can create passwords using patterns. A pattern is a
+string defining the layout of the new password. The following placeholders
+are supported:
The \ placeholder is special: it's an escape character. The next character that follows
+the \ is written directly into the generated password. If you want a \ in your
+password at a specific place, you have to write \\.
+
+
Using the {n} code you can define how many times the previous placeholder
+should occur. The { } operator duplicates placeholders, not generated characters. Examples:
+» d{4} is equivalent to dddd,
+» dH{4}a is equivalent to dHHHHa and
+» Hda{1}dH is equivalent to HdadH.
+
+
The [...] notation can be used to define a custom character set, from which
+the password generator will pick one character randomly. All characters between the '['
+and ']' brackets follow the same rules as the placeholders above.
+The '^' character removes the next placeholders from the character set.
+Examples:
+» [dp] generates exactly 1 random character out of the set
+digits + punctuation,
+» [d\m\@^\3]{5} generates 5 characters out of the set "012456789m@",
+» [u\_][u\_] generates 2 characters out of the set upper-case + '_'.
Below are a few examples how the pattern generation feature can be used to generate
+passwords that follow certain rules.
+
+
Important! For all of the following examples you must enable the 'Randomly permute
+characters of password' option!
+
+
+
+
Rule
+
Pattern
+
+
Must consist of 2 upper-case letters, 2 lower-case letters and 2 digits.
+
uulldd
+
+
Must consist of 9 digits and 1 letter.
+
d{9}L
+
+
Must consist of 10 alphanumeric characters, where at least 1 is
+a letter and at least 1 is a digit.
+
LdA{8}
+
+
Must consist of 10 alphanumeric characters, where at least 2 are
+upper-case letters and at least 2 are lower-case letters.
+
uullA{6}
+
+
Must consist of 9 characters of the set "ABCDEF" and
+an '@' symbol.
+
\@[\A\B\C\D\E\F]{9}
+
+
+
+
+
+
+
+Security-Reducing Options
+
+
The password generator supports several options like 'Each character must occur at most once',
+'Exclude look-alike characters' (O0, Il1|)
+and a field to explicitly specify characters that should not appear in generated passwords.
+
+
These options are reducing the security of generated passwords. You should
+only enable them if you are forced to follow such rules by the website/application,
+for which you are generating the password.
+
+
The options can be found in the 'Advanced' dialog / tab page.
+
+
+
+
+
+
+
+If you enable a security-reducing option, an exclamation mark (!)
+is appended to the 'Advanced' tab.
+
+
+
+
+
+
+Creating and Using Password Generator Profiles
+
+
Password generator options (character set, length, pattern, ...) can be saved
+as password generator profiles.
+
+
Creating/modifying a profile:
+
+
+
Open the Password Generator window.
+
Specify all options of the new profile.
+
Click the
+'Save as Profile' button.
+
Enter the name of the new profile, or select an existing profile name from
+the drop-down list to overwrite it. Close the dialog with OK.
+
If you want to immediately create a password using the new profile,
+click OK/Accept. Otherwise click Cancel/Close (the profile is not lost;
+profile management is independent of password generation).
+
+
+
Using a profile:
+To use a profile, simply select it from the drop-down profiles list
+in the password generator window. All settings of this profile will be
+restored accordingly.
+
+
Meta-profile 'Derive from previous password':
+When this meta-profile is selected, a password is generated based on
+a character set derived from the previous password. The new password
+has the same length as the old one, and every character of the old
+password turns on the character subset that contains this character.
+For example, if the old password contains the letter 'R', then the character
+set used for generating the new password contains the range 'A' to 'Z'.
+Warning! This meta-profile should not be used blindly
+(i.e. without reviewing the used character set).
+The new password does not necessarily contain at least one character
+from each character subset (see 'Generation
+Based on Character Sets'), thus blindly generating new passwords
+with this meta-profile can result in a quality degradation of the
+effectively used profile.
+
+
+
+
+
+Configuring Settings of Automatically Generated Passwords for New Entries
+
+
When you create a new entry, KeePass will automatically generate a random
+password for it. The properties of these generated passwords can be configured
+in the password generator dialog.
+
+
To configure, specify the options of your choice and overwrite the
+'(Automatically generated passwords for new entries)' profile (see
+section above).
+
+
Disabling automatically generated passwords:
+To disable automatically generated passwords for new entries, select
+'Generate using character set' and specify 0 as password length.
+Overwrite the appropriate profile (see above).
KeePass can repair corrupted databases in some cases.
+
+
+
+
+
KeePass has quite some features to avoid database file corruption
+(transacted database writing, device buffer flushing, ...). However,
+data corruption can still be caused by other programs, the system or
+broken storage devices (note that KeePass by default is verifying the integrity
+of database files immediately after writing them, i.e. at this point of time,
+KeePass guarantees file integrity; however, KeePass of course can't do anything
+when the data becomes corrupted/unreadable at a later point of time).
+
+
In these cases, the database repair functionality might help you.
+Here, KeePass tries to read as much data as possible from the corrupted file.
+
+
+In repair mode, the integrity of the data is not checked
+(in order to rescue as much data as possible).
+When no integrity checks are performed, corrupted/malicious data might
+be incorporated into the database.
+Thus the repair functionality should only be used when there really is no other solution.
+If you use it, afterwards you should thoroughly check your whole
+database for corrupted/malicious data.
+
+
+
+
+
+
+In order to use the repair functionality in KeePass 2.x, first
+create a new database file. Then, go 'File' → 'Import' and import
+the corrupted database file, using 'KeePass KDBX (2.x) (Repair Mode)'
+as format.
+
+
+
Anyway, if you've lost the master key for the database, the repair functionality
+cannot help you. Also, if the header of the database (first few bytes) is
+corrupted, you're out of luck, too: the repair functionality won't be able
+to restore any entries (because the header contains information required
+to decrypt the database).
+
+
The repair functionality should be seen as last hope. Regularly making
+backups of your databases is much better and has to be preferred.
+Backups have no cryptographic security implications.
+There are plugins that automate the backup process, see the
+KeePass plugins page.
+
+
+
+
+
+File Header/Signature
+
+
If your database file has been deleted and you want to try recovering
+it using a tool that supports a file header/signature detection:
+below you can find the first bytes (in hex notation) with which all
+database files begin.
+
+
+
KeePass 1.x KDB File:
+03 D9 A2 9A 65 FB 4B B5
+
KeePass 2.x KDBX File:
+03 D9 A2 9A 67 FB 4B B5
+
+
+
The file header does not contain a field that specifies the length
+of the file. If the length cannot be determined from the file system,
+try to recover sufficiently much data (i.e. the database file data and
+maybe some subsequent, unnecessary data) and use the
+repair functionality above, which will simply ignore any subsequent data.
In this mode, KeePass searches the specified terms in the selected fields.
+For an entry to match, all terms must match.
+
+
+
Multiple terms.
+In order to search for multiple terms, separate the terms using spaces.
+If you want to search for a term containing spaces, enclose the term
+in double quotes ("...").
+
+
Exclusions (2.x).
+In order to find entries that do not contain a certain term,
+prepend a minus sign to the term.
+
+
+
An entry matches if the specified terms can be found as substrings.
+If you want to find exact matches instead, use a
+regular expression
+(see the example 'Exact term').
+
+
Examples.
+
+
+
+
+
Multiple terms
+
Find what:
Michael Home
+
Options:
☑ Title
+
Finds every entry whose title contains both the term
+'Michael' and the term 'Home' (in any order).
+
+
+
+
+
+
+
+
Terms with spaces
+
Find what:
Michael "Web Server"
+
Options:
☑ Title
+
Finds every entry whose title contains both the term
+'Michael' and the term 'Web Server'.
+
+
+
+
+
+
+
+
Exclusions (2.x)
+
Find what:
Michael -Home
+
Options:
☑ Title
+
Finds every entry whose title contains the term
+'Michael', but not the term 'Home'.
+
+
+
+
+
+
+Search Mode 'Regular Expression'
+
+
In this mode, KeePass searches for matches of a regular expression
+in the selected fields.
+
+
Information about regular expressions and tools can be found here:
In order to see your database in the KeePass 2.x XML format, you can
+export it (via 'File' → 'Export') to a 'KeePass XML (2.x)' file.
+
+
If you want to find and replace data using XPath and regular
+expressions, see the XML Replace feature.
+
+
Examples.
+
+
+
+
+
Icon
+
Find what:
+
//Entry[(IconID = '3') and not(CustomIconUUID)]
+
Finds every entry that has a
+ icon.
+
+
+
+
+
+
+
+
Expired in specific year
+
Find what:
+
//Entry/Times[(Expires = 'True') and starts-with(ExpiryTime, '2022-')]/..
+
Finds every entry that has expired in 2022.
+
+
+
+
+
+
+
+
Custom string field
+
Find what:
+
//Entry/String[(Key = 'Telephone') and contains(Value, '12345')]/..
+
Options:
☑ Other strings
+
Finds every entry that has a custom string field
+named 'Telephone' whose value contains '12345'.
+
+
+
+
+
+
+
+
Attached PDF files
+
Find what:
+
//Entry/Binary/Key[(string-length(.) >= 4) and (substring(., string-length(.) - 3) = '.pdf')]/../..
+
Finds every entry that has a file attachment whose
+name ends with '.pdf'.
+
If you want to find large entries instead, use the
+'Large Entries' command in the 'Find' menu.
+
+
+
+
+
+
+
+
Background color
+
Find what:
+
//Entry[BackgroundColor = '#CCFFCC']
+
Finds every entry that has a
+light green
+background color.
+
The standard background colors are
+light red (#FFCCCC),
+light green (#CCFFCC),
+light blue (#99CCFF) and
+light yellow (#FFFF99).
+
+
+
+
+
+
+
+
Multiple tags (AND, exact)
+
Find what:
+
//Entry[contains(concat(';', Tags, ';'), ';Home;') and
+contains(concat(';', Tags, ';'), ';Private;')]
+
Options:
☑ Tags
+
Finds every entry that has both the tag 'Home'
+and the tag 'Private'.
+
In contrast to this, searching with the
+simple expression 'Home Private'
+also finds entries that have 'Home' and 'Private' as substrings in
+the tags.
+
+
+
+
+
+
+
+
History entry count
+
Find what:
+
//Entry[count(History/Entry) >= 4]
+
Options:
☑ History
+
Finds every entry that has at least 4 history entries.
+
+
+
+
+
+
+
+
Group notes
+
Find what:
+
//Group[contains(Notes, 'Private')]/Entry
+
Finds every entry whose (direct) parent group
+contains the word 'Private' in the notes (of the group, not of the entry).
+If there are multiple such groups, the entries of all these groups are found.
+
+
+
+
+
+
+Search Profiles (2.x)
+
+
KeePass can save search parameters as a search profile.
+This can be useful when you are regularly performing similar searches.
+
+
Creating a profile.
+In order to save the current search parameters specified in the 'Find' dialog,
+click the
+profile creation button. KeePass then shows a dialog where you can enter
+a name for the new profile.
+
+
Overwriting a profile.
+Overwriting an existing profile works the same as creating a profile,
+except that you select an existing profile name in the name dialog.
+
+
Using a profile.
+There are two ways to load a profile and perform a search with it:
+
+
Open the 'Find' dialog (via the menu 'Find' or
+Ctrl+F), click on the 'Profile'
+combo box and select the desired profile; this causes KeePass to load
+the profile. If necessary, adjust the search parameters.
+Finally, click the 'Find' button.
+
+
In the menu of the main window, click 'Find' → 'Search Profiles'.
+In this menu, all profiles are listed. For each profile,
+there are commands to directly perform a search with the profile
+(commands 'Find ...') and commands to show the profile in the
+'Find' dialog (commands 'Open ...').
+
+
+
Deleting a profile.
+In order to delete a profile, select it in the 'Find' dialog and
+click the profile deletion button.
In order to indicate that the search string is a regular expression,
+enclose it in '//'.
+For example, '//A{6}//' finds all entries containing
+the string 'AAAAAA'.
+Note that this special syntax does not work in the 'Find' dialog;
+in this dialog, you need to select the regular expression mode
+and specify the regular expression as-is, i.e. without enclosing it
+in '//'.
+
+
Options.
+The 'Find' dialog and the quick search box are independent;
+options/parameters in the 'Find' dialog do not affect quick searches.
+Options for quick searches can be found in the options dialog
+(menu 'Tools' → 'Options' → tab 'Interface').
KeePass was one of the first password managers featuring secure edit controls. The
+edit controls used in KeePass are resistant to password revealers and password
+control spies. Additionally, the entered passwords are protected against
+memory dumping attacks: the passwords aren't even visible in the process memory space
+of KeePass!
+
+
KeePass uses secure edit controls only when the hiding behind asterisks option
+is turned on! If you show the passwords in plaintext, they won't be protected
+(secure edit controls are just disabled then, replaced by standard Windows edit
+controls).
There exist various
+plugins
+that provide support for additional encryption algorithms,
+including but not limited to Twofish, Serpent and GOST.
+
+
+
These well-known and thoroughly analyzed algorithms are
+considered to be very secure.
+AES (Rijndael) became effective as a U.S. federal government standard
+and is approved by the National Security Agency (NSA)
+for top secret information.
+Twofish was one of the other four AES finalists.
+ChaCha20 is the successor of the Salsa20 algorithm (which is included in the
+eSTREAM portfolio).
+
+
The block ciphers are used in the Cipher Block Chaining (CBC)
+block cipher mode.
+In CBC mode, plaintext patterns are concealed.
+
+
An initialization vector (IV) is generated
+randomly each time
+a database is saved. Thus, multiple databases encrypted with the same
+master key (e.g. backups) are no problem.
+
+
Data authenticity and integrity:
+
+
+
+
+
+
+The authenticity and integrity of the data is ensured using
+a HMAC-SHA-256 hash of the ciphertext (Encrypt-then-MAC scheme).
+
+
+
+
+
SHA-256 is used for compressing the components
+of the master key
+(consisting of a master password, a key file, a Windows user account key
+and/or a key provided by a plugin) to a 256-bit key K.
+
+
SHA-256 is a cryptographic hash function that is considered to be
+very secure. It has been standardized in
+NIST FIPS 180-4.
+The attack against SHA-1 discovered in 2005 does not affect
+the security of SHA-256.
+
+
In order to generate the key for the encryption algorithm,
+K is transformed using a key derivation function (with
+a random salt). This prevents precomputation of keys and makes dictionary
+and guessing attacks harder. For details, see the section
+'Protection against Dictionary Attacks'.
+
+
+
+
+
+Protection against Dictionary Attacks
+
+
KeePass features a protection against dictionary and guessing attacks.
+
+
Such attacks cannot be prevented, but they can be made harder.
+For this, the key K derived from the user's master key
+(see above) is transformed using a
+key derivation function with a random salt.
+This prevents a precomputation of keys and adds a work factor
+that the user can make as large as desired
+to increase the computational effort of a dictionary or guessing attack.
+
+
Multiple key derivation functions are supported. In the database
+settings dialog, you can select one and specify certain parameters
+for it.
+
+
By clicking the '1 Second Delay' button in the database settings
+dialog, KeePass computes the number of iterations that results in a
+1 second delay when loading/saving a database.
+Furthermore, KeePass 2.x has a button 'Test' that performs a key
+transformation with the specified parameters (which can be cancelled)
+and reports the required time.
+
+
The key transformation may require more or less time on other
+devices. If you are using KeePass or a port of it on other devices,
+make sure that all devices are fast enough (and have sufficient memory)
+to load the database with your parameters within an acceptable time.
+
+
Supported key derivation functions:
+
+
+
AES-KDF (KeePass 1.x and 2.x):
+This key derivation function is based on iterating
+AES.
+
+
In the database settings dialog, you can change the number of
+iterations. The more iterations, the harder are dictionary and guessing
+attacks, but also database loading/saving takes more time (linearly).
+
+On Windows Vista and higher, KeePass can use Windows' CNG/BCrypt API
+for the key transformation, which is about 50% faster than the
+key transformation code built-in to KeePass.
+
+
Argon2 (KeePass 2.x only):
+Argon2
+is the winner of the Password Hashing Competition.
+The main advantage of Argon2 over AES-KDF is that it provides a better
+resistance against GPU/ASIC attacks (due to being a memory-hard function).
+
+
The official specification of the Argon2 algorithm defines three
+variants: Argon2d, Argon2id and Argon2i.
+Argon2i is the least suitable variant in our case (KeePass database file);
+therefore, KeePass only offers Argon2d and Argon2id.
+
+
Argon2d provides the best resistance against GPU/ASIC attacks.
+The resistance of Argon2id against GPU/ASIC attacks is somewhat weaker,
+but Argon2id additionally makes certain side-channel attacks slightly harder.
+
+
Side-channel attacks try to gain information from a system by
+observing its behavior (e.g. the duration and the power consumption of
+certain operations). On servers, side-channel attacks are a real threat.
+On client devices (PCs), side-channel attacks are more difficult (more
+noise, etc.); there are ideas how some might work in theory, but we are
+not aware of any real attack in practice.
+For example, the attack described in the article
+'The Spy in the Sandbox / Side-Channel Attacks in Web Browsers'
+was interesting (JavaScript code was able to detect certain user interactions),
+but not a real threat (no extraction of sensitive data, as mentioned
+explicitly in the article). This may or may not change in the future.
+Note that this has nothing to do with cloud storage; KeePass encrypts/decrypts
+a database file on a client device, and thus it is irrelevant where the
+database file is stored (for side-channel attacks).
+Furthermore, there are side-channel attacks that neither Argon2d nor Argon2id
+(nor Argon2i, nor any other key derivation function) protects against (e.g.
+Spectre/Meltdown side-channel attacks, which allow
+spyware to read all memory).
+
+
In the case of KeePass, we currently recommend Argon2d instead
+of Argon2id, because we believe that a better protection against a
+really existing threat (password cracking using GPUs/ASICs is state
+of the art) is more important than a protection against certain
+side-channel attacks that may or may not become a problem on client
+devices in the future.
+If you worry about side-channel attacks (and are willing to sacrifice
+some GPU/ASIC resistance) or if you are developing a software where
+side-channel attacks could be a problem (e.g. a server service that
+operates with KeePass database files), use Argon2id.
+
+
Side note: the IRTF CFRG Argon2 Internet standard recommends
+Argon2id by default. For server applications, Argon2id is in general
+indeed more suitable than Argon2d, but our situation (client device)
+is different, as mentioned above.
+
+
The number of iterations scales linearly with the required time.
+By increasing the memory parameter, GPU/ASIC attacks become
+harder (and the required time increases).
+The parallelism parameter specifies how many threads should be used.
+
+
We recommend the following procedure for determining the
+Argon2 parameters:
+
+
Set the number of iterations to 2.
+
+
Find out the RAM size of each of your devices on which you want to
+open your database file. Let M be the minimum of these sizes.
+Set the memory parameter to min(M/2, 1 GB)
+(i.e. use the half of M, if it is less than 1 GB, otherwise use 1 GB).
+
+
Example 1: if you have a PC with 32 GB RAM and a mobile phone
+with 1 GB RAM (on which you want to open your database file),
+set the memory parameter to 500 MB.
+
Example 2: if you have a PC with 32 GB RAM and a PC with 8 GB RAM,
+set the memory parameter to 1 GB.
+
+On Windows 10 and higher, the RAM size can be found in the system settings
+→ 'System' → 'About'.
+
+
Find out the number of logical processors of each of your devices.
+Set the parallelism parameter to the minimum of these numbers.
+On Windows 10 and higher, the number of logical processors can be found
+in the Task Manager (right-click onto the taskbar → 'Task Manager')
+on the 'Performance' tab page.
+
+
Click the 'Test' button.
+
+
If the key transformation takes too much time (longer than you are
+willing to wait when opening/saving the database file, e.g. more than
+1 second), cancel it, decrease the memory parameter and click
+the 'Test' button again.
+Repeat this until the required time is acceptable.
+
+
If the key transformation takes too few time (in the case of 1 GB memory),
+increase the number of iterations and click the 'Test' button again.
+Repeat this until you like the required time.
+
+
+
Save the database file and try to open it on each of your other
+devices. If this takes too long on one of the devices,
+decrease the number of iterations (recommendation: not less than 2)
+and/or decrease the memory parameter, and try it again.
+
+
+
When clicking the '1 Second Delay' button, KeePass uses a different
+strategy for determining the parameters (relatively low values for the
+memory and parallelism parameters, relatively high number of iterations),
+because KeePass does not know the RAM and processor details of your other
+devices (the default values should be compatible with most devices).
+If you know these details, it is recommended to follow the
+procedure above instead.
+
+
+
+
+
+
Argon2 on iOS. If you are using a KeePass-compatible app
+on iOS, please note the following limitation of iOS.
+If the app uses a lot of RAM (e.g. due to using Argon2 with a
+large memory parameter), then AutoFill may not work.
+In this case, we recommend to use a relatively low value for the
+Argon2 memory parameter (64 MB or less, depending on the app and the
+database size) and a relatively high number of iterations.
+
+
KeePassX. In contrast to KeePass, the Linux port KeePassX
+only partially supports protection against dictionary and guessing attacks.
+
+
+
+
+
+Random Number Generation
+
+
KeePass first creates an entropy pool using various entropy sources
+(including random numbers generated by the system cryptographic provider,
+current date/time and uptime, cursor position, operating system version,
+processor count, environment variables, process and memory statistics,
+current culture, a new random GUID, etc.).
+
+
The random bits for the high-level generation methods are generated
+using a cryptographically secure pseudo-random number generator
+(based on SHA-256/SHA-512 and ChaCha20) that is initialized using the entropy pool.
+
+
+
+
+
+Process Memory Protection
+
+
While KeePass is running, sensitive data is stored encryptedly
+in the process memory.
+This means that even if you would dump the KeePass process memory to disk,
+you could not find any sensitive data.
+For performance reasons, the process memory protection only applies
+to sensitive data; sensitive data here includes for instance the master key
+and entry passwords, but not user names, notes and file attachments.
+Note that this has nothing to do with the
+encryption of database files;
+in database files, all data (including user names, etc.) is encrypted.
+
+
Furthermore, KeePass erases all security-critical memory (if possible)
+when it is not needed anymore, i.e. it overwrites these memory areas
+before releasing them.
+
+
KeePass uses the Windows DPAPI for encrypting sensitive data in memory
+
+(via CryptProtectMemory /
+
+ProtectedMemory).
+With DPAPI, the key for the memory encryption is stored in a
+secure, non-swappable memory area managed by Windows.
+DPAPI is available on Windows 2000 and higher.
+KeePass 2.x always uses DPAPI when it is available;
+in KeePass 1.x, this can be disabled (in the advanced options; by default
+using DPAPI is enabled; if it is disabled, KeePass 1.x uses the ARC4 encryption
+algorithm with a random key; note that this is less secure than DPAPI, mainly not
+because ARC4 cryptographically is not that strong, but because the key for
+the memory encryption is also stored in swappable process memory;
+similarly, KeePass 2.x falls back to encrypting the process memory using
+ChaCha20, if DPAPI is unavailable).
+On Unix-like systems, KeePass 2.x uses ChaCha20, because Mono does not provide
+any effective memory protection method.
+
+
For some operations, KeePass must make sensitive data available
+unencryptedly in the process memory. For example, in order to show a password
+in the standard list view control provided by Windows, KeePass must supply
+the cell content (the password) as unencrypted string
+(unless hiding using asterisks is enabled).
+Operations that result in unencrypted data in the process memory include,
+but are not limited to: displaying data (not asterisks) in standard controls,
+searching data, replacing placeholders (during auto-type, drag&drop,
+copying to clipboard, ...), importing/exporting files (except KDBX)
+and loading/saving unencrypted files.
+Windows and .NET may make copies of the data (in the process memory)
+that cannot be erased by KeePass.
+
+
+
+
+
+Enter Master Key on Secure Desktop (Protection against Keyloggers)
+
+
KeePass 2.x has an option (in 'Tools' → 'Options' → tab 'Security')
+to show master key dialogs on a different/secure desktop
+(supported on Windows 2000 and higher), similar to Windows'
+User Account Control (UAC). Almost no keylogger works on a secure desktop.
+
+
The option is turned off by default for compatibility reasons.
+
+
More information can be found on the
+Secure Desktop
+help page.
Note: KeePass was one of the first password managers that allow
+entering the master key on a different/secure desktop!
+
+
+
+
+
+Locking the Workspace
+
+
When locking the workspace, KeePass closes the database file and
+only remembers its path and certain view parameters.
+
+
This provides maximum security: unlocking the
+workspace is as hard as opening the database file the normal way. Also, it prevents
+data loss (the computer can crash while KeePass is locked, without doing any damage
+to the database).
+
+
When a sub-dialog is open, the workspace may not be locked;
+for details, see the FAQ.
The internal viewer/editor works with the data in main memory.
+It does not extract/store the data onto disk.
+
+
When trying to open an attachment that the internal viewer/editor cannot handle
+(e.g. a PDF file), KeePass extracts the attachment to a (EFS-encrypted)
+temporary file and opens it using the default application associated with this file type.
+After finishing viewing/editing, the user can choose between importing
+or discarding any changes made to the temporary file.
+In any case, KeePass afterwards securely deletes the temporary file
+(including overwriting it).
+
+
+
+
+
+Plugins
+
+
+
+
+
A separate page exist about the security of plugins:
+Plugin Security.
+
+
+
+
+
+
+Self-Tests
+
+
Each time you start KeePass, the program performs a quick self-test to see
+whether the encryption and hash algorithms work correctly and pass
+their test vectors. If one of the algorithms does not pass its test vectors,
+KeePass shows a security exception dialog.
+
+
+
+
+
+Specialized Spyware
+
+
This section gives answers to questions like the following:
+
+
+
Would encrypting the configuration file increase security by preventing
+changes by a malicious program?
+
Would encrypting the application (executable file, eventually together
+with the configuration file) increase security by preventing changes
+by a malicious program?
+
Would an option to prevent plugins from being loaded increase security?
+
Would storing security options in the database (to override the settings of
+the KeePass instance) increase security?
+
Would locking the main window in such a way that only auto-type is allowed
+increase security?
+
+
+
The answer to all these questions is: no. Adding any of these features
+would not increase security.
+
+
All security features in KeePass protect against generic threats like
+keyloggers, clipboard monitors, password control monitors, etc. (and against
+non-runtime attacks on the database, memory dump analyzers, ...).
+However in all the questions above we are assuming that there is a spyware
+program running on the system that is specialized on attacking KeePass.
+
+
In this situation, the best security features will fail.
+This is law #1 of the
+
+
+Ten Immutable Laws of Security
+(Microsoft TechNet article; see also the
+Microsoft TechNet article
+
+Revisiting the 10 Immutable Laws of Security, Part 1):
+"If a bad guy can persuade you to run his program on your
+computer, it's not your computer anymore".
+
+
For example, consider the following very simple spyware specialized
+for KeePass: an application that waits for KeePass to be started, then hides
+the started application and imitates KeePass itself. All interactions
+(like entering a password for decrypting the configuration, etc.) can be
+simulated.
+The only way to discover this spyware is to use a program that the spyware
+does not know about or cannot manipulate (secure desktop);
+in any case it cannot be KeePass.
+
+
For protecting your PC, we recommend using an anti-virus software.
+Use a proper firewall, only run software from trusted sources,
+do not open unknown e-mail attachments, etc.
+
+
+
+
+
+Malicious Data
+
+
The user should check all data that he enters and/or runs.
+
+
If you enter/run data without checking it first, this can lead to
+security problems (like for instance a disclosure of sensitive data
+or an execution of malicious code). This is a general principle;
+it applies to most applications, not only to KeePass.
+
+
Examples:
+
+
The URL field of an entry supports running
+a command line.
+So, if you (enter and) run a URL without checking it first,
+you might run a malicious program/code.
+
+
When running a URL, a malicious URL override
+(global or entry-specific) may be executed instead, if you did not check it.
+
+
KeePass supports placeholders.
+All regular placeholders are of the form '{...}', and
+environment variables
+are of the form '%...%'.
+All data should be checked for malicious placeholders and environment variables.
+
+
+
Field references can insert data of
+other entries into the current data. For example, if you have a Facebook account,
+entering and running the following URL might send your Facebook user name
+and the password to the 'example.com' server:
+https://example.com/?u={REF:U@T:Facebook}&p={REF:P@T:Facebook}
+
+
The {CMD:...} placeholder
+runs a command line. For example, the following URL opens
+'https://example.com/' and runs 'Calc.exe':
+https://example.com/{CMD:/Calc.exe/W=0/}
The following auto-type sequence
+performs a login and additionally runs 'Calc.exe':
+{USERNAME}{TAB}{PASSWORD}{ENTER}{VKEY
+91}{T-CONV:/%43%61%6C%63%2E%65%78%65/Uri-Dec/}{VKEY 13}
+This sequence typically only works on a Windows system, but similar
+sequences can be constructed for other operating systems
+(like Linux and MacOS).
+
+
If you specify weak key transformation
+settings suggested by an attacker, this might make it easier for the
+attacker to decrypt/open your database.
+
+
If you enter/use a password generator
+profile (suggested by an attacker) that allows weak passwords only,
+accounts using such weak passwords may not be well protected.
+
+
Using the XML Replace feature with malicious parameters may
+result in a malicious modification of data in your database.
+
+
Pasting/entering malicious triggers in the triggers dialog without checking
+them can result in security problems.
+
+
+
If the user checks the data that he enters/runs, none of the
+"attacks" above works. Entering data is a manual operation
+(i.e. an attacker cannot do this himself), and only the user can
+decide whether the resulting effect is intended or not.
+Showing warning/confirmation dialogs all the time would not be reasonable.
+
+
When opening a database that has been created/modified by
+someone else, you should carefully check all data that you want to use.
+If you do not fully trust the creator of the database, do not
+open any files attached to entries.
+
+
+
+
+
+Options for Experts
+
+
Most security options can be configured in the options dialog of
+KeePass (menu 'Tools' → 'Options') and in the database settings
+dialog (menu 'File' → 'Database Settings').
+
+
However, in KeePass 2.x, there additionally are a few security options
+for experts that cannot be configured in the user interface.
+For example, KeePass can protect its process with a
+discretionary access control list (DACL), and
+its windows can be protected against certain screen capture operations.
+
+
+Activating these options for experts may result in compatibility problems and
+may make KeePass unusable. Therefore, these options can only be activated by
+editing the configuration file manually (using an XML or text editor).
+This ensures that users know how they can deactivate the problematic options
+(by editing the configuration file once more)
+in order to make KeePass usable again.
+
+
If you know how the configuration
+system of KeePass works, then see the
+customization
+help page, on which these options are documented.
+
+
+
+
+
+Options for Administrators
+
+
Administrators can enforce certain settings, disallow certain functions,
+specify requirements for master passwords, and much more.
+Details can be found on the following help pages:
KeePass supports TANs, i.e. passwords that can be used only
+once.
+These special passwords are used by some banks: you need to confirm
+transactions using such TANs. This provides additional security, as
+a spy cannot perform transactions, even if he knows the password of
+your banking account.
+
+
+
+
+
+Using the TAN Wizard to add TANs
+
+
You can use the KeePass TAN Wizard to add several TANs at once to your
+database. Just open the TAN wizard dialog (menu Tools - TAN Wizard) and enter
+all your TANs. The formatting doesn't really
+matter, KeePass just uses all alphanumerical strings, i.e. characters like line breaks,
+tabs, spaces, dots, etc. are interpreted as separators.
+
+
The wizard will then generate several TAN entries from the data you entered into the dialog. Each
+TAN is a standard KeePass entry. The title of a TAN entry always is set to "<TAN>".
+This tells KeePass that the entry is a TAN entry. You cannot change the title, user
+name and URL of a TAN. But you can freely add notes to a TAN entry, if you wish.
+
+
+
+
+
+Using TANs
+
+
When you use the TAN (e.g. execute the "Copy Password" command on
+it), its expiration date will be set
+to the current time, which expires the entry. It will get a red
+X as icon.
+If you later want to know when you used a specific TAN,
+you can just have a look at its expiration date.
+
+
When copying a TAN to the clipboard, the database is marked as modified. You must save
+the file in order to remember the usage of a TAN.
+
+
If you accidently used a TAN without needing it, you can reset it (i.e. remove the red
+X and show it as valid TAN again). To do this, open the
+TAN entry (right-click it and choose 'Edit/View Entry...'). Here, uncheck the
+'Expires' checkbox. Click [OK] to close the dialog.
The author reserves the right not to be responsible for the topicality,
+correctness, completeness or quality of the information provided.
+Liability claims against the author relating to material or non-material
+damage caused by the use or non-use of the information provided or by the
+use of incorrect or incomplete information are generally excluded,
+unless it can be proven that the author acted intentionally or
+with gross negligence.
+
+
All offers are subject to change and non-binding.
+The author expressly reserves the right to change, extend or delete
+parts of the pages or the entire publication or to cease the publication
+temporarily or permanently without separate announcement.
+
+
+
+
+
Referrals and Links
+
+
In the case of direct or indirect referrals and links to external
+websites that lie outside the author's area of responsibility,
+liability would only come into force if the author had knowledge of
+the content and it were technically possible and reasonable for him
+to prevent use in the case of illegal content.
+
+
The author hereby expressly declares that at the time of setting the
+referral or link no illegal content was discernible on the referred/linked pages.
+The author has no influence whatsoever on the current and future design,
+content or authorship of the referred/linked pages.
+Therefore, he hereby expressly dissociates himself from all contents of all
+referred/linked pages which were changed after the referral or link setting.
+This statement applies to all referrals and links within the author's own
+Internet offer as well as to foreign entries in guest books, discussion
+forums, link directories, mailing lists and all other forms of databases
+set up by the author to whose content external write accesses are possible.
+For illegal, incorrect or incomplete contents and in particular for damages
+arising from the use or non-use of information presented in this way,
+only the provider of the page to which the referral/link was made is liable,
+not the person who merely refers/links to the respective publication.
+
+
+
+
+
Copyright and Trademark Rights
+
+
The author endeavours to respect applicable copyrights in all publications.
+However, if in spite of all efforts a copyright is violated, we will
+remove the relevant item from the publication on notification or
+will insert information on the copyright.
+
+
All brands and trademarks mentioned within the publication that are
+subject to property rights of third parties are subject to the
+provisions of the applicable trademark law and the property rights of the
+registered owner without restriction.
+The mere mention of a trademark does not imply that it is not protected
+by third-party rights.
+
+
The copyright for any material (images, diagrams, sounds, videos, texts, etc.)
+created by the author is reserved.
+Any duplication or use of such material in other electronic or printed
+publications is not permitted without the author's explicit consent.
If the opportunity for the input of personal or business data (e-mail
+addresses, name, addresses) is given, the input of this data takes place
+voluntarily. The use and payment of all offered services is permitted –
+if and so far technically possible and reasonable – without
+specification of any personal data or under specification of anonymized data
+or an alias.
+
+
The use of published postal addresses, telephone or fax numbers and
+e-mail addresses for marketing purposes is prohibited.
+We expressly reserve the right to take legal action against senders of
+so-called spam mails who violate this prohibition.
+
+
Scope of Processing of Personal Data
+
+
We only process personal data of our users if this is necessary to
+provide a functional website as well as our contents and services.
+The processing of personal data of our users takes place regularly only
+after consent of the user.
+An exception applies in those cases where prior consent cannot be obtained
+for real reasons and the processing of the data is permitted by law.
+
+
Legal Basis for the Processing of Personal Data
+
+
+
If we obtain the consent of the data subject for the processing of
+personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation
+(GDPR) serves as the legal basis.
+
+
In the processing of personal data required for the performance of a
+contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR
+serves as the legal basis.
+This also applies to processing operations that are necessary to carry out
+pre-contractual measures.
+
+
If the processing of personal data is necessary to comply with a legal
+obligation to which the controller is subject, Art. 6 para. 1 lit. c GDPR
+serves as the legal basis.
+
+
In the event that the vital interests of the data subject or another
+natural person require the processing of personal data,
+Art. 6 para. 1 lit. d GDPR serves as the legal basis.
+
+
If the processing is necessary for the purposes of the legitimate interests
+pursued by the controller or by a third party and if the interests,
+fundamental rights and freedoms of the data subject do not outweigh the
+former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis.
+
+
+
Data Erasure and Storage Time
+
+
The personal data of the data subject will be erased or blocked as soon
+as the purpose of storage ceases to apply.
+The data may be stored beyond that if the European or national legislator
+has provided for this in EU regulations, laws or other provisions to which
+the controller is subject.
+The data will also be erased or blocked if a storage period prescribed by
+the aforementioned standards expires, unless there is a need for further
+storage of the data for the conclusion or performance of a contract.
+
+
+
+
Provision of the Website and Creation of Log Files
+
+
Every time you visit our website, our system automatically collects data
+and information of the calling computer.
+The following data is collected:
+
+
+
Information about the browser type and version used.
+
The user's operating system.
+
The user's Internet service provider.
+
The IP address of the user.
+
Date and time of access.
+
Websites from which the user's system reaches our website.
+
Websites that are accessed by the user's system via our website.
+
+
+
The data is also stored in the log files of our system.
+This data is not stored together with other personal data of the user.
+
+
The temporary storage of the IP address by the system is necessary to
+enable the website to be delivered to the user's computer.
+For this the IP address of the user must remain stored for the duration
+of the session.
+
+
The data is stored in log files to ensure the functionality of the website.
+In addition, the data serves us to optimize the website and to ensure
+the security of our information technology systems.
+An evaluation of the data for marketing purposes does not take place in
+this context.
+
+
The legal basis for the temporary storage of the data and the log files
+is Art. 6 para. 1 lit. f GDPR.
+Our legitimate interests lie in the above-mentioned purposes.
+
+
The data will be deleted as soon as they are no longer necessary to
+achieve the purpose for which they were collected:
+
+
+
In the case of the collection of data for the provision of the
+website, this is the case when the respective session has ended.
+
+
In the case of storing the data in log files, this is the case
+after seven days at the latest. Further storage is possible;
+in this case, the IP addresses of the users are erased or anonymized,
+so that an association of the calling client is no longer possible.
+
+
+
The collection of the data for the provision of the website and the
+storage of the data in log files is absolutely necessary for the
+operation of the website.
+Consequently, there is no possibility of objection on the part of the user.
+
+
+
+
Cookies
+
+
Our website uses cookies.
+Cookies are text files that are stored in the browser or by the
+browser on the user's computer system.
+If a user visits a website, a cookie may be stored on the user's system.
+This cookie may contain a characteristic string that uniquely identifies
+the browser when you return to the website.
+
+
We use cookies to make our website more user-friendly.
+Some elements of our website require that the calling browser can
+be identified even after a page change.
+
+
The following data is stored and transmitted in the cookies:
+
+
Status of the notification about the use of cookies (Cookie Consent).
+Cookie name: RwlConsent, lifetime: ≤ 1 year.
+
Third-party data (see below).
+
+
+
The purpose of using technically necessary cookies is to simplify
+the use of websites for users.
+Some functions of our website cannot be offered without the use of cookies.
+For this it is necessary that the browser is recognized even after a page change.
+
+
We need cookies for the following applications:
+
+
Remembering the status of the notification about the use of cookies (Cookie Consent).
+
Third-party applications (see below).
+
+
+
The user data collected via technically necessary cookies are not
+used to create user profiles.
+
+
The legal basis for the processing of personal data using cookies
+is Art. 6 para. 1 lit. f GDPR.
+Our legitimate interests lie in the above-mentioned purposes.
+
+
The user's computer stores and transmits cookies.
+Therefore, you as a user also have full control over the use of cookies.
+You can deactivate or restrict the transmission of cookies by changing
+the settings in your browser.
+Cookies that have already been saved can be erased at any time.
+This can also be done automatically.
+Please consult the documentation of your browser.
+Links to the cookie management documentations of some popular browsers:
If cookies are deactivated for our website, it may no longer be possible
+to use all functions of the website to the full extent.
+
+
+
+
Advertising
+
+
We use third-party advertising companies (Google) to serve ads when you visit our
+website. These companies may use information (not including your name, address,
+e-mail address or telephone number) about your visits to this and other websites
+in order to provide advertisements about goods and services of interest to you.
+For more information about the methods and how you can prevent this information
+from being used by third parties, see:
In the European Economic Area and California,
+only non-personalized advertising is displayed on our website.
+
+
When you visit a page on our website, your browser contacts the
+third party servers.
+The third party provider obtains among other things your IP address,
+the browser type and the address (URL) of the visited page.
+
+
The legal basis is Art. 6 para. 1 lit. f GDPR;
+our website is financed by advertising.
+
+
+
+
Contact Form and E-Mail Contact
+
+
There is a contact form on our website, which can be used for
+electronic contact.
+When a user takes advantage of this possibility, the data entered in
+the input mask is transmitted to us and stored.
+At the time the message is sent, the current date and time are also stored.
+
+
Alternatively, it is possible to contact us via the e-mail address provided.
+In this case, the user's personal data transmitted by e-mail is stored.
+
+
In this context, the data is not passed on to third parties.
+
+
The data is used only to process the contact or conversation.
+
+
The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR.
+Our legitimate interests lie in the above-mentioned purposes.
+If the contact is aimed at the conclusion of a contract,
+Art. 6 para. 1 lit. b GDPR is an additional legal basis.
+
+
If a legal archiving obligation applies, the data is stored for
+the prescribed duration.
+Otherwise, the data are erased as soon as they are no longer necessary
+to achieve the purposes of their collection.
+For the personal data sent via contact form or e-mail, this is the case
+when the conversation with the user is finished.
+The conversation is finished when the circumstances indicate that the
+matter in question has been finally clarified.
+
+
You have the possibility to object to the storage of your personal data
+at any time. To do this, send an appropriate e-mail to the controller.
+In this case, all data stored in the course of the contact or conversation
+will be erased without undue delay, and the conversation cannot be continued.
+
+
+
+
Rights of the Data Subject
+
+
If your personal data is processed, you are a data subject in terms of
+the GDPR and have the following rights.
+
+
Right of Access
+
+
You can ask the controller to confirm whether personal data concerning
+you is processed by us.
+
+
If such processing takes place, you can request the following information
+from the controller:
+
+
the purposes of the processing;
+
the categories of personal data concerned;
+
the recipients or categories of recipient to whom the personal data
+have been or will be disclosed;
+
the envisaged period for which the personal data will be stored,
+if possible, or otherwise the criteria used to determine that period;
+
the existence of the right to request from the controller
+rectification or erasure of personal data or restriction of processing of
+personal data concerning the data subject or to object to such processing;
+
the right to lodge a complaint with a supervisory authority;
+
where the personal data are not collected from the data subject,
+any available information as to their source;
+
the existence of automated decision-making, including profiling,
+referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases,
+meaningful information about the logic involved, as well as the significance
+and the envisaged consequences of such processing for the data subject.
+
+
+
You have the right to request information as to whether the personal
+data concerning you is transferred to a third country or to an
+international organization.
+In this context, pursuant to Art. 46 GDPR you may request to be informed
+of the appropriate safeguards relating to the transfer.
+
+
Right to Rectification
+
+
You have the right to rectification and/or completion if the personal
+data processed concerning you is incorrect or incomplete.
+The controller shall make the correction without undue delay.
+
+
Right to Restriction of Processing
+
+
Under the following conditions, you may request the restriction of the
+processing of personal data concerning you:
+
+
+
if you contest the accuracy of the personal data, for a period
+enabling the controller to verify the accuracy of the personal data;
+
the processing is unlawful and you oppose the erasure of the personal
+data and request the restriction of their use instead;
+
the controller no longer needs the personal data for the purposes of
+the processing, but they are required by you for the establishment,
+exercise or defence of legal claims;
+
you object to processing pursuant to Art. 21 para. 1 GDPR pending the
+verification whether the legitimate grounds of the controller override yours.
+
+
+
Where processing has been restricted, your personal data shall,
+with the exception of storage, only be processed with your consent or
+for the establishment, exercise or defence of legal claims or for the
+protection of the rights of another natural or legal person or for reasons
+of important public interest of the Union or of a Member State.
+
+
If processing has been restricted pursuant to the above conditions,
+you will be informed by the controller before the restriction is lifted.
+
+
Right to Erasure
+
+
Erasure Obligation.
+You have the right to obtain from the controller the erasure of personal data
+concerning you without undue delay.
+The controller has the obligation to erase personal data without undue delay
+where one of the following grounds applies:
+
+
The personal data are no longer necessary in relation to the purposes
+for which they were collected or otherwise processed.
+
You withdraw your consent on which the processing is based (according to
+Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR), and where there is no
+other legal ground for the processing.
+
You object to the processing pursuant to Art. 21 para. 1 GDPR and
+there are no overriding legitimate grounds for the processing, or you
+object to the processing pursuant to Art. 21 para. 2 GDPR.
+
The personal data have been unlawfully processed.
+
The personal data have to be erased for compliance with a legal
+obligation in Union or Member State law to which the controller is subject.
+
The personal data have been collected in relation to the offer of
+information society services referred to in Art. 8 para. 1 GDPR.
+
+
+
Information to Third Parties.
+Where the controller has made the personal data public and is obliged
+pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller,
+taking account of available technology and the cost of implementation,
+shall take reasonable steps, including technical measures, to inform
+controllers which are processing the personal data that you have requested
+the erasure by such controllers of any links to, or copy or replication of,
+those personal data.
+
+
Exceptions.
+The right to erasure does not apply where processing is necessary
+
+
for exercising the right of freedom of expression and information;
+
for compliance with a legal obligation which requires processing by
+Union or Member State law to which the controller is subject or for
+the performance of a task carried out in the public interest or in the
+exercise of official authority vested in the controller;
+
for reasons of public interest in the area of public health in
+accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
+
for archiving purposes in the public interest, scientific or
+historical research purposes or statistical purposes in accordance with
+Art. 89 para. 1 GDPR in so far as the right referred to in
+Art. 17 para. 1 GDPR is likely to render impossible or seriously
+impair the achievement of the objectives of that processing;
+
for the establishment, exercise or defence of legal claims.
+
+
+
Right to Notification
+
+
The controller communicates any rectification or erasure of personal
+data or restriction of processing carried out in accordance with
+Art. 16, Art. 17 para. 1 and Art. 18 GDPR to each recipient to whom
+the personal data have been disclosed, unless this proves impossible
+or involves disproportionate effort.
+
+
You have the right to request to be informed about those recipients
+by the controller.
+
+
Right to Data Portability
+
+
You have the right to receive the personal data concerning you,
+which you have provided to the controller, in a structured,
+commonly used and machine-readable format and have the right to
+transmit those data to another controller without hindrance from
+the controller to which the personal data have been provided, where
+
+
the processing is based on consent pursuant to Art. 6 para. 1 lit. a
+or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to
+Art. 6 para. 1 lit. b GDPR, and
+
the processing is carried out by automated means.
+
+
+
In exercising this right, you further have the right to have the
+personal data transmitted directly from one controller to another,
+where technically feasible.
+Freedoms and rights of others must not be affected adversely.
+
+
The right to data portability does not apply to processing necessary
+for the performance of a task carried out in the public interest or in
+the exercise of official authority vested in the controller.
+
+
Right to Object
+
+
You have the right to object, on grounds relating to your particular
+situation, at any time to processing of personal data concerning you
+which is based on Art. 6 para. 1 lit. e or f GDPR,
+including profiling based on those provisions.
+
+
The controller no longer processes your personal data unless the
+controller demonstrates compelling legitimate grounds for the processing
+which override your interests, rights and freedoms or for the
+establishment, exercise or defence of legal claims.
+
+
Where personal data are processed for direct marketing purposes,
+you have the right to object at any time to processing of personal data
+concerning you for such marketing, which includes profiling to the
+extent that it is related to such direct marketing.
+
+
If you object to processing for direct marketing purposes, your
+personal data is no longer processed for such purposes.
+
+
In the context of the use of information society services, and
+notwithstanding Directive 2002/58/EC, you may exercise your right
+to object by automated means using technical specifications.
+
+
Right to Withdraw the Data Protection Declaration of Consent
+
+
You have the right to withdraw your consent at any time.
+The withdrawal of consent does not affect the lawfulness of processing
+based on consent before its withdrawal.
+
+
Automated Individual Decision-Making, Including Profiling
+
+
You have the right not to be subject to a decision based solely on
+automated processing, including profiling, which produces legal effects
+concerning you or similarly significantly affects you.
+This does not apply if the decision
+
+
is necessary for entering into, or performance of, a contract between
+you and the controller;
+
is authorised by Union or Member State law to which the controller
+is subject and which also lays down suitable measures to safeguard your
+rights and freedoms and legitimate interests; or
+
is based on your explicit consent.
+
+
+
However, these decisions are not based on special categories of
+personal data referred to in Art. 9 para. 1 GDPR, unless
+Art. 9 para. 2 lit. a or g GDPR applies and suitable measures to
+safeguard your rights and freedoms and legitimate interests are in place.
+
+
In the cases 1. and 3., the data controller implements suitable
+measures to safeguard your rights and freedoms and legitimate interests,
+at least the right to obtain human intervention on the part of the
+controller, to express your point of view and to contest the decision.
+
+
Right to Lodge a Complaint With a Supervisory Authority
+
+
Without prejudice to any other administrative or judicial remedy,
+you have the right to lodge a complaint with a supervisory authority,
+in particular in the Member State of your habitual residence, place of
+work or place of the alleged infringement if you consider that the
+processing of personal data relating to you infringes the GDPR.
+
+
The supervisory authority with which the complaint has been lodged
+informs the complainant on the progress and the outcome of the
+complaint including the possibility of a judicial remedy pursuant to
+Art. 78 GDPR.
This legal documentation is to be regarded as part of the Internet
+publication from which you were referred to this page.
+If sections or individual terms of this statement are not legal or
+correct, the content or validity of the other parts remain uninfluenced
+by this fact.
+
+
+
+
+German (Deutsch)
+
+
+
Inhalt
+
+
Der Autor übernimmt keinerlei Gewähr für die Aktualität, Korrektheit,
+Vollständigkeit oder Qualität der bereitgestellten Informationen.
+Haftungsansprüche gegen den Autor, welche sich auf Schäden materieller
+oder nicht-materieller Art beziehen, die durch die Nutzung oder Nichtnutzung
+der dargebotenen Informationen bzw. durch die Nutzung fehlerhafter
+oder unvollständiger Informationen verursacht wurden, sind
+grundsätzlich ausgeschlossen, sofern seitens des Autors kein
+nachweislich vorsätzliches oder grob fahrlässiges Verschulden vorliegt.
+
+
Alle Angebote sind freibleibend und unverbindlich.
+Der Autor behält es sich ausdrücklich vor, Teile der Seiten oder das gesamte
+Angebot ohne gesonderte Ankündigung zu verändern, zu ergänzen, zu
+löschen oder die Veröffentlichung zeitweise oder endgültig einzustellen.
+
+
+
+
+
Verweise und Links
+
+
Bei direkten oder indirekten Verweisen und Links auf fremde Webseiten,
+die außerhalb des Verantwortungsbereiches des Autors liegen,
+würde eine Haftungsverpflichtung ausschließlich in
+dem Fall in Kraft treten, in dem der Autor von den Inhalten Kenntnis
+hat und es ihm technisch möglich und zumutbar wäre, die Nutzung im
+Falle rechtswidriger Inhalte zu verhindern.
+
+
Der Autor erklärt hiermit ausdrücklich, dass zum Zeitpunkt der
+Verweis- bzw. Linksetzung keine illegalen Inhalte auf den verwiesenen/verlinkten
+Seiten erkennbar waren. Auf die aktuelle und zukünftige Gestaltung,
+die Inhalte oder die Urheberschaft der verwiesenen/verlinkten Seiten
+hat der Autor keinerlei Einfluss. Deshalb distanziert er sich
+hiermit ausdrücklich von allen Inhalten aller verwiesenen/verlinkten Seiten,
+die nach der Verweis- bzw. Linksetzung verändert wurden.
+Diese Feststellung gilt für alle innerhalb des eigenen Internetangebotes
+gesetzten Verweise und Links sowie für Fremdeinträge in vom Autor
+eingerichteten Gästebüchern, Diskussionsforen, Linkverzeichnissen,
+Mailinglisten und in allen anderen Formen von Datenbanken, auf
+deren Inhalt externe Schreibzugriffe möglich sind. Für illegale,
+fehlerhafte oder unvollständige Inhalte und insbesondere für
+Schäden, die aus der Nutzung oder Nichtnutzung solcherart
+dargebotener Informationen entstehen, haftet allein der
+Anbieter der Seite, auf welche verwiesen wurde, nicht derjenige,
+der über Verweise oder Links auf die jeweilige Veröffentlichung
+lediglich verweist.
+
+
+
+
+
Urheber- und Kennzeichenrecht
+
+
Der Autor ist bestrebt, in allen Publikationen geltende Urheberrechte
+zu beachten. Sollte es trotzdem zu einer Urheberrechtsverletzung kommen,
+werden wir das entsprechende Objekt nach Benachrichtigung aus unserer
+Publikation entfernen oder Informationen zum Urheberrecht hinzufügen.
+
+
Alle innerhalb des Internetangebots genannten und ggf. durch Dritte
+geschützten Marken- und Warenzeichen unterliegen uneingeschränkt den
+Bestimmungen des jeweils gültigen Kennzeichenrechts und den
+Besitzrechten der jeweiligen eingetragenen Eigentümer.
+Allein aufgrund der bloßen Nennung ist nicht der Schluss zu ziehen,
+dass Markenzeichen nicht durch Rechte Dritter geschützt sind.
+
+
Das Copyright für veröffentlichte, vom Autor selbst erstellte
+Objekte (Bilder, Grafiken, Tondokumente, Videosequenzen, Texte, usw.)
+bleibt allein beim Autor der Seiten.
+Eine Vervielfältigung oder Verwendung solcher Objekte in anderen
+elektronischen oder gedruckten Publikationen ist ohne ausdrückliche
+Zustimmung des Autors nicht gestattet.
Sofern innerhalb des Internetangebotes die Möglichkeit zur
+Eingabe persönlicher oder geschäftlicher Daten (E-Mail-Adressen,
+Namen, Anschriften) besteht, so erfolgt die Preisgabe dieser Daten seitens
+des Nutzers auf ausdrücklich freiwilliger Basis. Die Inanspruchnahme
+und Bezahlung aller angebotenen Dienste ist – soweit technisch
+möglich und zumutbar – auch ohne Angabe solcher Daten bzw.
+unter Angabe anonymisierter Daten oder eines Pseudonyms gestattet.
+
+
Die Nutzung der im Rahmen des Impressums oder vergleichbarer
+Angaben veröffentlichten Kontaktdaten wie Postanschriften,
+Telefon- und Faxnummern sowie E-Mail-Adressen durch Dritte zur
+Übersendung von nicht ausdrücklich angeforderten Informationen
+zu Marketing-Zwecken ist nicht gestattet.
+Rechtliche Schritte gegen die Versender von sogenannten Spam-Mails
+bei Verstößen gegen dieses Verbot sind ausdrücklich vorbehalten.
+
+
Umfang der Verarbeitung personenbezogener Daten
+
+
Wir verarbeiten personenbezogene Daten unserer Nutzer grundsätzlich nur,
+soweit dies zur Bereitstellung einer funktionsfähigen Website sowie
+unserer Inhalte und Leistungen erforderlich ist. Die Verarbeitung
+personenbezogener Daten unserer Nutzer erfolgt regelmäßig nur nach
+Einwilligung des Nutzers. Eine Ausnahme gilt in solchen Fällen,
+in denen eine vorherige Einholung einer Einwilligung aus tatsächlichen
+Gründen nicht möglich ist und die Verarbeitung der Daten durch
+gesetzliche Vorschriften gestattet ist.
+
+
Rechtsgrundlage für die Verarbeitung personenbezogener Daten
+
+
+
Soweit wir für Verarbeitungsvorgänge personenbezogener Daten eine
+Einwilligung der betroffenen Person einholen, dient Art. 6 Abs. 1 lit. a
+EU-Datenschutzgrundverordnung (DSGVO) als Rechtsgrundlage.
+
+
Bei der Verarbeitung von personenbezogenen Daten, die zur Erfüllung eines
+Vertrages, dessen Vertragspartei die betroffene Person ist, erforderlich ist,
+dient Art. 6 Abs. 1 lit. b DSGVO als Rechtsgrundlage. Dies gilt auch für
+Verarbeitungsvorgänge, die zur Durchführung vorvertraglicher Maßnahmen
+erforderlich sind.
+
+
Soweit eine Verarbeitung personenbezogener Daten zur Erfüllung einer
+rechtlichen Verpflichtung erforderlich ist, der der Verantwortliche
+unterliegt, dient Art. 6 Abs. 1 lit. c DSGVO als Rechtsgrundlage.
+
+
Für den Fall, dass lebenswichtige Interessen der betroffenen Person oder
+einer anderen natürlichen Person eine Verarbeitung personenbezogener Daten
+erforderlich machen, dient Art. 6 Abs. 1 lit. d DSGVO als Rechtsgrundlage.
+
+
Ist die Verarbeitung zur Wahrung eines berechtigten Interesses des
+Verantwortlichen oder eines Dritten erforderlich und überwiegen die Interessen,
+Grundrechte und Grundfreiheiten des Betroffenen das erstgenannte Interesse
+nicht, so dient Art. 6 Abs. 1 lit. f DSGVO als Rechtsgrundlage.
+
+
+
Datenlöschung und Speicherdauer
+
+
Die personenbezogenen Daten der betroffenen Person werden gelöscht
+oder gesperrt, sobald der Zweck der Speicherung entfällt.
+Eine Speicherung kann darüber hinaus erfolgen, wenn dies durch den
+europäischen oder nationalen Gesetzgeber in unionsrechtlichen Verordnungen,
+Gesetzen oder sonstigen Vorschriften, denen der Verantwortliche unterliegt,
+vorgesehen wurde. Eine Löschung oder Sperrung der Daten erfolgt auch dann,
+wenn eine durch die genannten Normen vorgeschriebene Speicherfrist abläuft,
+es sei denn, dass eine Erforderlichkeit zur weiteren Speicherung der Daten
+für einen Vertragsabschluss oder eine Vertragserfüllung besteht.
+
+
+
+
Bereitstellung der Website und Erstellung von Logfiles
+
+
Bei jedem Aufruf unserer Internetseite erfasst unser System automatisiert
+Daten und Informationen des aufrufenden Rechners.
+Folgende Daten werden hierbei erhoben:
+
+
+
Informationen über den Browsertyp und die verwendete Version.
+
Das Betriebssystem des Nutzers.
+
Den Internet-Service-Provider des Nutzers.
+
Die IP-Adresse des Nutzers.
+
Datum und Uhrzeit des Zugriffs.
+
Websites, von denen das System des Nutzers auf unsere Internetseite gelangt.
+
Websites, die vom System des Nutzers über unsere Website aufgerufen werden.
+
+
+
Die Daten werden ebenfalls in den Logfiles unseres Systems gespeichert.
+Eine Speicherung dieser Daten zusammen mit anderen personenbezogenen Daten
+des Nutzers findet nicht statt.
+
+
Die vorübergehende Speicherung der IP-Adresse durch das System ist
+notwendig, um eine Auslieferung der Website an den Rechner des Nutzers zu
+ermöglichen. Hierfür muss die IP-Adresse des Nutzers für die Dauer der
+Sitzung gespeichert bleiben.
+
+
Die Speicherung in Logfiles erfolgt, um die Funktionsfähigkeit der Website
+sicherzustellen. Zudem dienen uns die Daten zur Optimierung der Website und
+zur Sicherstellung der Sicherheit unserer informationstechnischen Systeme.
+Eine Auswertung der Daten zu Marketingzwecken findet in diesem Zusammenhang
+nicht statt.
+
+
Rechtsgrundlage für die vorübergehende Speicherung der Daten und der
+Logfiles ist Art. 6 Abs. 1 lit. f DSGVO.
+Unsere berechtigten Interessen liegen in den oben genannten Zwecken.
+
+
Die Daten werden gelöscht, sobald sie für die Erreichung des Zweckes
+ihrer Erhebung nicht mehr erforderlich sind:
+
+
+
Im Falle der Erfassung der Daten zur Bereitstellung der Website ist
+dies der Fall, wenn die jeweilige Sitzung beendet ist.
+
+
Im Falle der Speicherung der Daten in Logfiles ist dies nach spätestens
+sieben Tagen der Fall. Eine darüberhinausgehende Speicherung ist möglich;
+in diesem Fall werden die IP-Adressen der Nutzer gelöscht oder verfremdet,
+sodass eine Zuordnung des aufrufenden Clients nicht mehr möglich ist.
+
+
+
Die Erfassung der Daten zur Bereitstellung der Website und die Speicherung
+der Daten in Logfiles ist für den Betrieb der Website zwingend erforderlich.
+Es besteht folglich seitens des Nutzers keine Widerspruchsmöglichkeit.
+
+
+
+
Cookies
+
+
Unsere Website verwendet Cookies. Bei Cookies handelt es sich
+um Textdateien, die im Browser bzw. vom Browser
+auf dem Computersystem des Nutzers gespeichert werden.
+Ruft ein Nutzer eine Website auf, so kann ein Cookie auf dem
+System des Nutzers gespeichert werden.
+Dieser Cookie kann eine charakteristische Zeichenfolge enthalten,
+die eine eindeutige Identifizierung des Browsers beim
+erneuten Aufrufen der Website ermöglicht.
+
+
Wir setzen Cookies ein, um unsere Website nutzerfreundlicher zu
+gestalten. Einige Elemente unserer Internetseite erfordern es,
+dass der aufrufende Browser auch nach einem Seitenwechsel
+identifiziert werden kann.
+
+
In den Cookies werden dabei folgende Daten gespeichert und übermittelt:
+
+
Zustand der Benachrichtigung zur Verwendung von Cookies (Cookie Consent).
+Cookie-Name: RwlConsent, Gültigkeitsdauer: ≤ 1 Jahr.
+
Daten von Drittanbietern (siehe unten).
+
+
+
Der Zweck der Verwendung technisch notwendiger Cookies ist,
+die Nutzung von Websites für die Nutzer zu vereinfachen.
+Einige Funktionen unserer Internetseite können ohne den Einsatz
+von Cookies nicht angeboten werden. Für diese ist es erforderlich,
+dass der Browser auch nach einem Seitenwechsel wiedererkannt wird.
+
+
Für folgende Anwendungen benötigen wir Cookies:
+
+
Merken des Zustands der Benachrichtigung zur Verwendung von Cookies (Cookie Consent).
+
Drittanbieter-Anwendungen (siehe unten).
+
+
+
Die durch technisch notwendige Cookies erhobenen Nutzerdaten werden
+nicht zur Erstellung von Nutzerprofilen verwendet.
+
+
Die Rechtsgrundlage für die Verarbeitung personenbezogener Daten
+unter Verwendung von Cookies ist Art. 6 Abs. 1 lit. f DSGVO.
+Unsere berechtigten Interessen liegen in den oben genannten Zwecken.
+
+
Cookies werden auf dem Rechner des Nutzers gespeichert und von diesem
+übermittelt. Daher haben Sie als Nutzer auch die volle
+Kontrolle über die Verwendung von Cookies. Durch eine Änderung der
+Einstellungen in Ihrem Browser können Sie die Übertragung von
+Cookies deaktivieren oder einschränken. Bereits gespeicherte Cookies
+können jederzeit gelöscht werden. Dies kann auch automatisiert erfolgen.
+Bitte konsultieren Sie die Dokumentation Ihres Browsers.
+Links zu den Cookie-Management-Dokumentationen einiger gängiger Browser:
Werden Cookies für unsere Website deaktiviert, können möglicherweise
+nicht mehr alle Funktionen der Website vollumfänglich genutzt werden.
+
+
+
+
Werbung
+
+
Wir greifen auf Drittanbieter (Google) zurück, um Anzeigen zu schalten,
+wenn Sie unsere Website besuchen. Diese Unternehmen nutzen möglicherweise
+Informationen (dies schließt nicht Ihren Namen, Ihre Adresse,
+E-Mail-Adresse oder Telefonnummer ein) zu Ihren Besuchen dieser und anderer
+Websites, damit Anzeigen zu Produkten und Diensten geschaltet werden
+können, die Sie interessieren.
+Weitere Informationen über die Methoden und darüber, welche Möglichkeiten
+Sie haben, damit diese Informationen nicht von den Drittanbietern
+verwendet werden können, finden Sie hier:
Im Europäischen Wirtschaftsraum und in Kalifornien
+wird auf unserer Website nur nicht-personalisierte Werbung angezeigt.
+
+
Beim Aufruf einer Seite unserer Website kontaktiert Ihr Browser
+die Server des Drittanbieters; hierbei erfährt der Drittanbieter unter anderem
+Ihre IP-Adresse, den Browsertyp und die Adresse (URL) der aufgerufenen Seite.
+
+
Die Rechtsgrundlage ist Art. 6 Abs. 1 lit. f DSGVO;
+unsere Website wird durch die Werbung finanziert.
+
+
+
+
Kontaktformular und E-Mail-Kontakt
+
+
Auf unserer Internetseite ist ein Kontaktformular vorhanden,
+welches für die elektronische Kontaktaufnahme genutzt werden kann.
+Nimmt ein Nutzer diese Möglichkeit wahr, so werden die in der
+Eingabemaske eingegebenen Daten an uns übermittelt und gespeichert.
+Zum Zeitpunkt der Absendung der Nachricht werden zudem das aktuelle
+Datum und die aktuelle Uhrzeit gespeichert.
+
+
Alternativ ist eine Kontaktaufnahme über die bereitgestellte
+E-Mail-Adresse möglich. In diesem Fall werden die mit der E-Mail
+übermittelten personenbezogenen Daten des Nutzers gespeichert.
+
+
Es erfolgt in diesem Zusammenhang keine Weitergabe der Daten an Dritte.
+
+
Die Daten dienen allein zur Bearbeitung der Kontaktaufnahme bzw.
+Konversation.
+
+
Die Rechtsgrundlage für die Verarbeitung der Daten ist
+Art. 6 Abs. 1 lit. f DSGVO.
+Unsere berechtigten Interessen liegen in den oben genannten Zwecken.
+Zielt der Kontakt auf den Abschluss eines Vertrages ab, so ist
+Art. 6 Abs. 1 lit. b DSGVO eine zusätzliche Rechtsgrundlage.
+
+
Falls eine gesetzliche Archivierungspflicht gilt, werden die Daten
+für die vorgeschriebene Dauer gespeichert.
+Anderenfalls werden die Daten gelöscht, sobald sie für die Erreichung der Zwecke
+ihrer Erhebung nicht mehr erforderlich sind. Für die personenbezogenen Daten,
+die per Kontaktformular oder E-Mail übersandt wurden, ist dies dann der Fall,
+wenn die jeweilige Konversation mit dem Nutzer beendet ist.
+Beendet ist die Konversation dann, wenn sich aus den Umständen entnehmen
+lässt, dass der betroffene Sachverhalt abschließend geklärt ist.
+
+
Sie haben jederzeit die Möglichkeit, der Speicherung Ihrer
+personenbezogenen Daten zu widersprechen.
+Senden Sie dazu eine entsprechende E-Mail an den Verantwortlichen.
+In diesem Fall werden alle Daten, die im Zuge der Kontaktaufnahme bzw.
+Konversation gespeichert wurden, unverzüglich gelöscht, und
+die Konversation kann nicht fortgeführt werden.
+
+
+
+
Rechte der betroffenen Person
+
+
Werden personenbezogene Daten von Ihnen verarbeitet, sind Sie Betroffener
+im Sinne der DSGVO und es stehen Ihnen die folgenden Rechte zu.
+
+
Auskunftsrecht
+
+
Sie können von dem Verantwortlichen eine Bestätigung darüber verlangen,
+ob personenbezogene Daten, die Sie betreffen, von uns verarbeitet werden.
+
+
Liegt eine solche Verarbeitung vor, können Sie von dem Verantwortlichen
+über folgende Informationen Auskunft verlangen:
+
+
die Verarbeitungszwecke;
+
die Kategorien von personenbezogenen Daten, welche verarbeitet werden;
+
die Empfänger bzw. die Kategorien von Empfängern, gegenüber denen die Sie
+betreffenden personenbezogenen Daten offengelegt wurden oder noch offengelegt werden;
+
die geplante Dauer der Speicherung der Sie betreffenden personenbezogenen Daten
+oder, falls konkrete Angaben hierzu nicht möglich sind, Kriterien für die
+Festlegung der Speicherdauer;
+
das Bestehen eines Rechts auf Berichtigung oder Löschung der Sie
+betreffenden personenbezogenen Daten, eines Rechts auf Einschränkung der
+Verarbeitung durch den Verantwortlichen oder eines Widerspruchsrechts
+gegen diese Verarbeitung;
+
das Bestehen eines Beschwerderechts bei einer Aufsichtsbehörde;
+
alle verfügbaren Informationen über die Herkunft der Daten, wenn die
+personenbezogenen Daten nicht bei der betroffenen Person erhoben werden;
+
das Bestehen einer automatisierten Entscheidungsfindung einschließlich
+Profiling gemäß Art. 22 Abs. 1 und 4 DSGVO und – zumindest in diesen Fällen –
+aussagekräftige Informationen über die involvierte Logik sowie die Tragweite
+und die angestrebten Auswirkungen einer derartigen Verarbeitung für die
+betroffene Person.
+
+
+
Ihnen steht das Recht zu, Auskunft darüber zu verlangen, ob die Sie
+betreffenden personenbezogenen Daten in ein Drittland oder an eine
+internationale Organisation übermittelt werden. In diesem Zusammenhang können
+Sie verlangen, gemäß Art. 46 DSGVO über die geeigneten Garantien im Zusammenhang
+mit der Übermittlung unterrichtet zu werden.
+
+
Recht auf Berichtigung
+
+
Sie haben das Recht auf Berichtigung und/oder Vervollständigung,
+sofern die verarbeiteten personenbezogenen Daten, die Sie betreffen,
+unrichtig oder unvollständig sind.
+Der Verantwortliche hat die Berichtigung unverzüglich vorzunehmen.
+
+
Recht auf Einschränkung der Verarbeitung
+
+
Unter den folgenden Voraussetzungen können Sie die Einschränkung der
+Verarbeitung der Sie betreffenden personenbezogenen Daten verlangen:
+
+
+
wenn Sie die Richtigkeit der Sie betreffenden personenbezogenen Daten für
+eine Dauer bestreiten, die es dem Verantwortlichen ermöglicht, die Richtigkeit
+der personenbezogenen Daten zu überprüfen;
+
die Verarbeitung unrechtmäßig ist und Sie die Löschung der
+personenbezogenen Daten ablehnen und stattdessen die Einschränkung der
+Nutzung der personenbezogenen Daten verlangen;
+
der Verantwortliche die personenbezogenen Daten für die Zwecke der
+Verarbeitung nicht länger benötigt, Sie diese jedoch zur Geltendmachung,
+Ausübung oder Verteidigung von Rechtsansprüchen benötigen;
+
wenn Sie Widerspruch gegen die Verarbeitung gemäß Art. 21 Abs. 1 DSGVO
+eingelegt haben und noch nicht feststeht, ob die berechtigten Gründe des
+Verantwortlichen gegenüber Ihren Gründen überwiegen.
+
+
+
Wurde die Verarbeitung der Sie betreffenden personenbezogenen Daten
+eingeschränkt, dürfen diese Daten – von ihrer Speicherung abgesehen – nur
+mit Ihrer Einwilligung oder zur Geltendmachung, Ausübung oder Verteidigung
+von Rechtsansprüchen oder zum Schutz der Rechte einer anderen natürlichen
+oder juristischen Person oder aus Gründen eines wichtigen öffentlichen
+Interesses der Union oder eines Mitgliedstaats verarbeitet werden.
+
+
Wurde die Verarbeitung nach den o.g. Voraussetzungen eingeschränkt,
+werden Sie von dem Verantwortlichen unterrichtet bevor die
+Einschränkung aufgehoben wird.
+
+
Recht auf Löschung
+
+
Löschungspflicht.
+Sie können von dem Verantwortlichen verlangen, dass die Sie betreffenden
+personenbezogenen Daten unverzüglich gelöscht werden.
+Der Verantwortliche ist verpflichtet, diese Daten unverzüglich zu löschen,
+sofern einer der folgenden Gründe zutrifft:
+
+
Die Sie betreffenden personenbezogenen Daten sind für die Zwecke, für
+die sie erhoben oder auf sonstige Weise verarbeitet wurden, nicht mehr notwendig.
+
Sie widerrufen Ihre Einwilligung, auf die sich die Verarbeitung (gemäß
+Art. 6 Abs. 1 lit. a oder Art. 9 Abs. 2 lit. a DSGVO) stützte, und es fehlt
+an einer anderweitigen Rechtsgrundlage für die Verarbeitung.
+
Sie legen gemäß Art. 21 Abs. 1 DSGVO Widerspruch gegen die Verarbeitung
+ein und es liegen keine vorrangigen berechtigten Gründe für die Verarbeitung vor,
+oder Sie legen gemäß Art. 21 Abs. 2 DSGVO Widerspruch gegen die Verarbeitung ein.
+
Die Sie betreffenden personenbezogenen Daten wurden unrechtmäßig verarbeitet.
+
Die Löschung der Sie betreffenden personenbezogenen Daten ist zur Erfüllung
+einer rechtlichen Verpflichtung nach dem Unionsrecht oder dem Recht der
+Mitgliedstaaten erforderlich, dem der Verantwortliche unterliegt.
+
Die Sie betreffenden personenbezogenen Daten wurden in Bezug auf angebotene
+Dienste der Informationsgesellschaft gemäß Art. 8 Abs. 1 DSGVO erhoben.
+
+
+
Information an Dritte.
+Hat der Verantwortliche die Sie betreffenden personenbezogenen Daten
+öffentlich gemacht und ist er gemäß Art. 17 Abs. 1 DSGVO zu deren Löschung
+verpflichtet, so trifft er unter Berücksichtigung der verfügbaren Technologie
+und der Implementierungskosten angemessene Maßnahmen, auch technischer Art,
+um für die Datenverarbeitung Verantwortliche, die die personenbezogenen Daten
+verarbeiten, darüber zu informieren, dass Sie als betroffene Person von ihnen
+die Löschung aller Links zu diesen personenbezogenen Daten oder von Kopien
+oder Replikationen dieser personenbezogenen Daten verlangt haben.
+
+
Ausnahmen.
+Das Recht auf Löschung besteht nicht, soweit die Verarbeitung erforderlich ist
+
+
zur Ausübung des Rechts auf freie Meinungsäußerung und Information;
+
zur Erfüllung einer rechtlichen Verpflichtung, die die Verarbeitung
+nach dem Recht der Union oder der Mitgliedstaaten, dem der Verantwortliche
+unterliegt, erfordert, oder zur Wahrnehmung einer Aufgabe, die im öffentlichen
+Interesse liegt oder in Ausübung öffentlicher Gewalt erfolgt, die dem
+Verantwortlichen übertragen wurde;
+
aus Gründen des öffentlichen Interesses im Bereich der öffentlichen
+Gesundheit gemäß Art. 9 Abs. 2 lit. h und i sowie Art. 9 Abs. 3 DSGVO;
+
für im öffentlichen Interesse liegende Archivzwecke, wissenschaftliche
+oder historische Forschungszwecke oder für statistische Zwecke gemäß
+Art. 89 Abs. 1 DSGVO, soweit das unter Art. 17 Abs. 1 DSGVO genannte Recht
+voraussichtlich die Verwirklichung der Ziele dieser Verarbeitung unmöglich
+macht oder ernsthaft beeinträchtigt;
+
zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen.
+
+
+
Recht auf Unterrichtung
+
+
Haben Sie das Recht auf Berichtigung, Löschung oder Einschränkung der
+Verarbeitung gegenüber dem Verantwortlichen geltend gemacht, ist dieser
+verpflichtet, allen Empfängern, denen die Sie betreffenden personenbezogenen
+Daten offengelegt wurden, diese Berichtigung oder Löschung der Daten oder
+Einschränkung der Verarbeitung mitzuteilen, es sei denn, dies erweist sich
+als unmöglich oder ist mit einem unverhältnismäßigen Aufwand verbunden.
+
+
Ihnen steht gegenüber dem Verantwortlichen das Recht zu, über diese
+Empfänger unterrichtet zu werden.
+
+
Recht auf Datenübertragbarkeit
+
+
Sie haben das Recht, die Sie betreffenden personenbezogenen Daten,
+die Sie dem Verantwortlichen bereitgestellt haben, in einem strukturierten,
+gängigen und maschinenlesbaren Format zu erhalten. Außerdem haben Sie das
+Recht diese Daten einem anderen Verantwortlichen ohne Behinderung durch den
+Verantwortlichen, dem die personenbezogenen Daten bereitgestellt wurden,
+zu übermitteln, sofern
+
+
die Verarbeitung auf einer Einwilligung gemäß Art. 6 Abs. 1 lit. a DSGVO
+oder Art. 9 Abs. 2 lit. a DSGVO oder auf einem Vertrag gemäß
+Art. 6 Abs. 1 lit. b DSGVO beruht und
+
die Verarbeitung mithilfe automatisierter Verfahren erfolgt.
+
+
+
In Ausübung dieses Rechts haben Sie ferner das Recht, zu erwirken,
+dass die Sie betreffenden personenbezogenen Daten direkt von einem
+Verantwortlichen einem anderen Verantwortlichen übermittelt werden,
+soweit dies technisch machbar ist. Freiheiten und Rechte anderer Personen
+dürfen hierdurch nicht beeinträchtigt werden.
+
+
Das Recht auf Datenübertragbarkeit gilt nicht für eine Verarbeitung
+personenbezogener Daten, die für die Wahrnehmung einer Aufgabe erforderlich
+ist, die im öffentlichen Interesse liegt oder in Ausübung öffentlicher
+Gewalt erfolgt, die dem Verantwortlichen übertragen wurde.
+
+
Widerspruchsrecht
+
+
Sie haben das Recht, aus Gründen, die sich aus Ihrer besonderen
+Situation ergeben, jederzeit gegen die Verarbeitung der Sie betreffenden
+personenbezogenen Daten, die aufgrund von Art. 6 Abs. 1 lit. e oder f DSGVO
+erfolgt, Widerspruch einzulegen; dies gilt auch für ein auf diese
+Bestimmungen gestütztes Profiling.
+
+
Der Verantwortliche verarbeitet die Sie betreffenden personenbezogenen Daten
+nicht mehr, es sei denn, er kann zwingende schutzwürdige Gründe für die
+Verarbeitung nachweisen, die Ihre Interessen, Rechte und Freiheiten
+überwiegen, oder die Verarbeitung dient der Geltendmachung, Ausübung oder
+Verteidigung von Rechtsansprüchen.
+
+
Werden die Sie betreffenden personenbezogenen Daten verarbeitet,
+um Direktwerbung zu betreiben, haben Sie das Recht, jederzeit Widerspruch
+gegen die Verarbeitung der Sie betreffenden personenbezogenen Daten zum
+Zwecke derartiger Werbung einzulegen; dies gilt auch für das Profiling,
+soweit es mit solcher Direktwerbung in Verbindung steht.
+
+
Widersprechen Sie der Verarbeitung für Zwecke der Direktwerbung,
+so werden die Sie betreffenden personenbezogenen Daten nicht mehr für diese
+Zwecke verarbeitet.
+
+
Sie haben die Möglichkeit, im Zusammenhang mit der Nutzung von
+Diensten der Informationsgesellschaft – ungeachtet der Richtlinie
+2002/58/EG – Ihr Widerspruchsrecht mittels automatisierter Verfahren
+auszuüben, bei denen technische Spezifikationen verwendet werden.
+
+
Recht auf Widerruf der datenschutzrechtlichen Einwilligungserklärung
+
+
Sie haben das Recht, Ihre datenschutzrechtliche Einwilligungserklärung
+jederzeit zu widerrufen. Durch den Widerruf der Einwilligung wird die
+Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten
+Verarbeitung nicht berührt.
+
+
Automatisierte Entscheidung im Einzelfall einschließlich Profiling
+
+
Sie haben das Recht, nicht einer ausschließlich auf einer
+automatisierten Verarbeitung – einschließlich Profiling – beruhenden
+Entscheidung unterworfen zu werden, die Ihnen gegenüber rechtliche Wirkung
+entfaltet oder Sie in ähnlicher Weise erheblich beeinträchtigt.
+Dies gilt nicht, wenn die Entscheidung
+
+
für den Abschluss oder die Erfüllung eines Vertrags zwischen Ihnen
+und dem Verantwortlichen erforderlich ist;
+
aufgrund von Rechtsvorschriften der Union oder der Mitgliedstaaten,
+denen der Verantwortliche unterliegt, zulässig ist und diese Rechtsvorschriften
+angemessene Maßnahmen zur Wahrung Ihrer Rechte und Freiheiten sowie Ihrer
+berechtigten Interessen enthalten; oder
+
mit Ihrer ausdrücklichen Einwilligung erfolgt.
+
+
+
Allerdings dürfen diese Entscheidungen nicht auf besonderen Kategorien
+personenbezogener Daten nach Art. 9 Abs. 1 DSGVO beruhen,
+sofern nicht Art. 9 Abs. 2 lit. a oder g DSGVO gilt und angemessene Maßnahmen
+zum Schutz der Rechte und Freiheiten sowie Ihrer berechtigten Interessen getroffen wurden.
+
+
Hinsichtlich der in 1. und 3. genannten Fälle trifft der
+Verantwortliche angemessene Maßnahmen, um die Rechte und Freiheiten sowie
+Ihre berechtigten Interessen zu wahren, wozu mindestens das Recht auf
+Erwirkung des Eingreifens einer Person seitens des Verantwortlichen,
+auf Darlegung des eigenen Standpunkts und auf Anfechtung der Entscheidung gehört.
+
+
Recht auf Beschwerde bei einer Aufsichtsbehörde
+
+
Unbeschadet eines anderweitigen verwaltungsrechtlichen oder gerichtlichen
+Rechtsbehelfs steht Ihnen das Recht auf Beschwerde bei einer Aufsichtsbehörde,
+insbesondere in dem Mitgliedstaat ihres Aufenthaltsorts, ihres Arbeitsplatzes
+oder des Orts des mutmaßlichen Verstoßes, zu, wenn Sie der Ansicht sind,
+dass die Verarbeitung der Sie betreffenden personenbezogenen Daten gegen
+die DSGVO verstößt.
+
+
Die Aufsichtsbehörde, bei der die Beschwerde eingereicht wurde, unterrichtet
+den Beschwerdeführer über den Stand und die Ergebnisse der Beschwerde
+einschließlich der Möglichkeit eines gerichtlichen Rechtsbehelfs nach Art. 78 DSGVO.
Siehe auch die Danksagungen-Seite
+(enthält Lizenzen von Dritten).
+
+
+
+
+
+
Rechtswirksamkeit dieser Bestimmungen
+
+
Diese rechtlichen Bestimmungen sind als Teil des Internetangebotes
+zu betrachten, von dem aus auf diese Seite verwiesen wurde.
+Sofern Teile oder einzelne Formulierungen dieses Textes der
+geltenden Rechtslage nicht, nicht mehr oder nicht vollständig
+entsprechen sollten, bleiben die übrigen Teile des Dokumentes
+in ihrem Inhalt und ihrer Gültigkeit davon unberührt.
Depending on which field you double-click in the entry list of the main window,
+different actions are performed:
+
+
+
Title field: open the entry editing dialog for this entry.
+If you hold down the Shift key while double-clicking,
+the title is copied to the clipboard instead.
+
User name field: copy user name to the clipboard.
+
Password field: copy password to the clipboard.
+
URL field: open URL.
+If you hold down the Shift key while double-clicking,
+the URL is copied to the clipboard instead.
+This behavior can be reversed by turning on the option
+'Copy URLs to clipboard instead of opening them'.
+
Notes field: copy notes to the clipboard.
+
Attachment field: [1.x] copy to clipboard, [2.x] open in
+internal editor / viewer.
+
Other fields (like time
+and UUID fields): copy the contents of that field to the clipboard.
+
+
+
+
+
+
+Drag&Drop
+
+
You can drag&drop all fields of KeePass entries into other windows:
+
+
+
+
+
+
+
+
+
+Auto-Type
+
+
Auto-Type is a powerful feature that sends simulated keypresses to
+other applications.
+Introduction: What is Two-Channel Auto-Type Obfuscation?
+
+
The Auto-Type feature of KeePass
+is very powerful: it sends simulated keypresses to other applications.
+This works with all Windows applications and
+for the target applications it's not possible to distinguish between
+real keypresses and the ones simulated by Auto-Type.
+
+This at the same time is the main disadvantage of Auto-Type, because
+keyloggers can eavesdrop the simulated keys.
+
+That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.
+
+
TCATO makes standard keyloggers useless. It uses the
+Windows clipboard to transfer parts of the auto-typed text into the
+target application. Keyloggers can see the Ctrl+V
+presses, but do not log the actual contents pasted from the clipboard.
+
+
Clipboard spies don't work either, because only parts of the sensitive
+information is transferred on this way.
+
+
Anyway, it's not perfectly secure (and unfortunately cannot be made
+by theory). None of the currently available keyloggers or clipboard spies
+can eavesdrop an obfuscated auto-type process, but it is theoretically possible
+to write a dedicated spy application that specializes on logging obfuscated
+auto-type.
+
+
+
+
+
+When can Two-Channel Auto-Type Obfuscation be used?
+
+
TCATO cannot be used with all windows. The target window(s) must
+support clipboard operations and navigation within edit controls using arrow keys.
+Additionally, the target user interface must not contain automation features like
+jumping focus when maximum length of a text box is reached (as seen in registration
+number dialogs for example).
Because it doesn't work with all windows, it's an opt-in feature for each
+entry. You have to enable it explicitly on the 'Auto-Type' tab page in the
+'Edit Entry' dialog.
+
+
+
+
+
+How to enable / configure Two-Channel Auto-Type Obfuscation?
+
+
All you need to do is to tick the checkbox "Two-channel auto-type obfuscation"
+of an entry ('Auto-Type' tab page of the entry editing window); KeePass will do the rest.
+
+
+
+
+
+Technical Overview
+
+
Instead of simply sending simulated keypresses to the target application (as normal
+auto-type does), obfuscated auto-type does the following:
+
+
+
+
Back up the current clipboard contents.
+
Intelligently split the text into parts.
+
For each part: check if the clipboard can be used.
+
+
+
If yes: Split it into two subparts (character-wise, like two
+flat intertwining combs). Copy/paste the first part, merge the rest by sending keypresses.
+
If no: Send it normally using simulated keypresses.
+
+
+
+
Restore previous clipboard contents.
+
+
+
+
These steps are described in detail below.
+
+
+
+
+
+
+
+Intelligently Splitting the Text
+
+
The text to be sent must first be split intelligently. Not all parts of the
+string can be sent using the clipboard: special key codes and key modifiers must be passed
+unchanged to the SendInput function. For an example, have a look at the following
+string:
This is an example of a typical string sent by KeePass to another application. First
+it types the user's email address, then a Tab,
+then the password, a Tab, toggles a checkbox,
+another Tab and finally presses the Enter key.
+This sequence can be split into the following parts:
For each line, it is checked if the clipboard can be used. If the line contains a '{', '}', '(', ')',
+'+', '^', '%' or whitespace (space), it can only be sent by the SendInput function
+directly. For example, '+' presses the Shift key,
+it should not be copy/pasted as '+' character.
+Spaces cannot be copy/pasted either, because they are usually used to toggle checkboxes.
+
+
In the example above, "mymail@myprovider.com" and "MyTopSecretPassword" can
+be sent using the clipboard.
+
+
+
+
+
+Splitting the Secrets
+
+
Let's transfer "mymail@myprovider.com" to the target application using
+TCATO.
+
+
First, the secret string "mymail@myprovider.com" is randomly split character-wise
+into two parts like two flat intertwining combs:
+
+
y il m o d .c
+m ma @ ypr vi er om
+
+
The first string "yilmod.c" is now copied to the clipboard. The string to be
+sent by the SendInput function is now assembled as follows:
+
+
+
Begin with pasting from the clipboard: ^v.
+
Press the ← key n times,
+with n = length of the clipboard string.
+
Send the remaining characters and press the →
+key to skip the ones that were already pasted from the clipboard.
+
+
+
In our example above, the key sequence would be assembled to:
This will first paste the clipboard contents, go to its start and fill in the remaining characters,
+building up the original string "mymail@myprovider.com".
+
+
The time in which the first string part remains in the clipboard is minimal.
+It is copied to the clipboard, pasted into the target application and immediately
+cleared. This process usually takes only a few milliseconds at maximum.
+
+
More about secret string splitting:
+In the above example, the string "mymail@myprovider.com" was
+split and sent. If the string would be split differently each time,
+a malicious application could reassemble the string by
+capturing multiple auto-types and combining them. In order to prevent this,
+KeePass initializes the random number generator for splitting based on a
+hash of the string. This means that each string is split differently,
+but the partitions of a string are uniquely determined. So, by invoking
+auto-type multiple times, an attacker cannot reassemble the original string,
+because he always captures the same half part.
On this tab page you can specify general things like the name of the database and
+a description. Additionally, you can set various defaults like a default user
+name for new entries (created in this database).
+
+
+
+
+
+Security Options
+
+
On this tab page you can specify various settings related to encryption.
+Only change these settings if you really know what you are doing.
+
+
Encryption Algorithm:
+You can choose the algorithm that is used to encrypt the database.
+All encryption algorithms offered by KeePass are well-known, secure algorithms,
+see Database Encryption.
KeePass has a button on this tab page to compute the number of key transformations
+that your computer can do in 1 second. If you for instance only want to wait 0.5 seconds,
+half the number resulted from the benchmark.
+
+
+
+
+
+
+
+Compression Options
+
+
KeePass databases can be compressed before being encrypted. Compression
+reduces the size of the database, but also slows down the database
+saving/loading process a bit.
+
+
It is recommended to use the GZip compression option. This algorithm
+is very fast (you won't notice any difference to saving the database without
+compression) and its compression rate is acceptable.
+
+
It is not recommended to save databases without compression.
+
+
On modern PCs, saving files with compression can actually be faster than
+saving without compression, because the compression process is performed by
+the CPU (which is very fast) and fewer data has to be transferred from/to
+the storage device. Especially when the device is slow (like saving to USB
+stick), compression can reduce the saving/loading time significantly.
+
+
+
+
+
+Templates
+
+
Templates are a great way to predefine often used user names or
+additional fields, or combinations of each.
+
+
+
A template is a normal KeePass entry with all required data already
+entered.
+
Templates must be kept in a single group.
+
Do not put real data entries in the template group.
+
+
+
First create a normal group in the main window and then set it as the
+templates group in 'File' →
+'Database Settings' → tab 'Advanced'.
+
+
In order to create a new entry based on a template,
+click the drop-down arrow of the 'Add Entry' toolbar button
+and choose the template to be used.
On the tab page 'General', you can specify the main information
+of an account.
+
+
Title.
+In the title field, the name of the system/service should be entered.
+
+
For certain systems/services, it can make sense to ensure that the
+entry title occurs within the target window title, because this allows
+auto-type to associate the entry
+with the target window.
+For details, see global auto-type.
+However, if the target window title does not contain the system/service name
+(e.g. 'Login - Browser Name'), it is recommended to create a
+custom window/sequence association instead.
+
+
User name.
+In the user name field, you should specify the data that you are entering
+during a login in order to identify yourself. This typically is a user name,
+an e-mail address or a number.
+
+
There is no separate e-mail address field by default, because this
+would decrease the usability. For details, see the section
+'Can an e-mail address field be added?'
+in the FAQ.
+
+
When typing into the user name field, KeePass may display a list of
+suggestions for the user name.
+This list is generated dynamically: when opening the entry dialog,
+KeePass collects the user names of all entries stored in the currently
+active database.
+If you see an incorrect user name in the list, you need to search this
+user name in your entries (using the search function) and fix it there.
+
+
In the database settings (menu 'File' →
+'Database Settings'), you can define a default user name for new entries.
+
+
Password.
+By default, KeePass generates a password for a new entry (this can be
+customized/disabled).
+You can use this password or replace it.
+
+
There is a button (right of the password repetition field) that opens
+the password generator.
+
+
Furthermore, there is a button for disabling/enabling the
+password quality estimation for the current entry.
+Disabling the password quality estimation for an entry also
+excludes the entry from password quality reports (menu 'Find' →
+'Password Quality').
Expires.
+In the entry list of the main window, an expired entry is displayed
+with a red X icon and a
+strikeout font.
+Expired entries are not deleted/moved automatically.
+
+
You can search for expired entries using the menu 'Find' →
+'Expired'.
+Expired entries can also be displayed automatically when opening
+the database (menu 'Tools' → 'Options' → tab 'Advanced' →
+option 'Show expired entries (if any)').
+
+
+
+
+
+Advanced
+
+
+
Custom string fields.
+Each entry may have an arbitrary number of custom string fields.
+Such a field consists of a name and a value.
+The name must be unique (within the entry).
+
+
In the main window, the value of a custom string field can be
+copied into the clipboard by right-clicking on the entry, pointing
+on 'Other Data' and clicking on the name of the custom string field
+(this is also possible via the menu 'Entry').
+
+
The value of a custom string field can also be used in an
+auto-type sequence;
+see the placeholders help page.
+For example, the value of a custom string field named 'BIC'
+(acronym for Business Identifier Code) can be inserted using the
+'{S:BIC}' placeholder.
+
+
In database files, custom string fields are stored in encrypted form
+(see 'Database Encryption').
+The option 'Protect value in process memory' (in the custom string field dialog)
+allows to activate/deactivate the
+process memory protection
+for the value of the custom string field.
+Activating this protection induces certain limitations (e.g. the value must
+be hidden using asterisks for the protection to be effective) and increases
+the time required by various operations. Therefore, it should be activated
+only for really sensitive data (e.g. a second password).
+
+
+
File attachments.
+You can attach arbitrary files to an entry.
+
+
Attached files are stored within the database file in encrypted form
+(see 'Database Encryption').
+When importing a file as attachment, KeePass does not delete the
+source file; you need to delete it yourself, if desired.
+
+
This feature is intended to store few/small files (e.g. registration files,
+public/private key pair files, etc.).
+Encrypting many/large files is considered to be out of the scope of a
+password manager and it is recommended to use a specialized file encryption
+software (e.g. VeraCrypt) for this task instead (KeePass can be used
+to store the password for the encrypted file container).
+
+
+
+
+
+Properties
+
+
+
Tags.
+You can assign arbitrary tags to an entry.
+Multiple tags have to be separated by commas (or semicolons).
+When clicking the button right of the tags input field, a menu is
+displayed that allows to add tags found in other entries.
+
+
Tags can also be added/removed in the main window: right-click onto
+one or more entries → 'Edit Entry (Quick)' → 'Add Tag' or
+'Remove Tag'.
+
+
A common use case is to mark frequently used entries (tag 'Favorite').
+
+
In order to show all entries that have a specific tag, click the
+three-keys button
+[]
+in the toolbar of the main window (to the right of
+the 'Find' toolbar button) and choose the tag.
+Alternatively, this command is also accessible via the main menu:
+'Find' → 'Tag' → choose the tag.
+
+
If you want to see all entries with a specific tag (e.g. 'Favorite')
+when opening a database, you can create a trigger
+for this: click 'Tools' → 'Triggers', add a new trigger,
+enter a name (e.g. 'Show favorites when opening a database'),
+add an event 'Opened database file', and add an action
+'Show entries by tag' with the parameter 'Tag' set to the tag name
+(e.g. 'Favorite').
UUID.
+A UUID is a 128-bit number that uniquely identifies an object
+(an entry in this case).
+
+
In some places (e.g. in field references),
+a UUID needs to be specified in hexadecimal form.
+In some other places (e.g. in KDBX XML files), a UUID is stored in
+Base64 form.
+
+
The entry dialog shows both forms (hexadecimal and Base64), such that
+you can directly copy the form that you currently need.
+
+
+
+
+
+Auto-Type
+
+
On this tab page, you can configure the auto-type behavior for
+the current entry.
+See the auto-type help page.
+
+
+
+
+
+History
+
+
Each entry has an own history. When modifying an entry, KeePass
+automatically creates a history entry, which contains the previous data.
+The history entries are listed on the 'History' tab page of the entry dialog.
+
+
By default, the number of history entries per entry and the
+history size per entry are limited to reasonable values.
+You can change these limitations in the database settings dialog
+(menu 'File' → 'Database Settings').
+
+
If you want to delete certain history entries manually,
+there are two possibilities:
+
+
On the 'History' tab page of the entry dialog, you can delete
+specific history entries.
+
In 'Tools' → 'Database Tools' → 'Database Maintenance',
+you can delete all history entries that are older than a specific
+number of days.
+
+
+
+
+
+
+Tools
+
+
When clicking the 'Tools' button (bottom left in the entry dialog),
+a menu is displayed that provides some useful commands.
+
+
Copy initial password.
+Copies (to the clipboard) the password that was current when the dialog
+was opened.
+This command can be useful for instance when you try to change the password
+and the website/service requests the previous password as confirmation
+after specifying the new password.
+
+
URL field commands.
+These commands edit the URL field.
+
+
Insert field reference.
+When clicking one of the commands in this submenu, a dialog is displayed
+that allows to conveniently create a
+field reference in the chosen field.
+
+
OTP generator settings.
+Displays a dialog for conveniently editing the
+one-time password
+generator settings of the entry.
+
+
+
+
+
+Editing Multiple Entries At Once
+
+
The entry dialog supports editing multiple entries at once.
+For this, select multiple entries in the entry list of the main window
+and invoke the 'Edit Entries' command.
+
+
+
If the entries contain different values for a field (e.g. if the
+entries have different user names), the text box in the entry dialog
+shows "(Multiple values)".
+If you do not change this, the values for this field will not be modified.
+If you change it, the new value will be assigned to all entries.
+
+
In case of a boolean option, the check box may support three states:
+
+
Unchecked. The option is/will be turned off for all entries.
+
Checked. The option is/will be turned on for all entries.
+
Indeterminate. For some entries, the option is turned off, whereas
+for the other entries, it is turned on. The states will not be modified.
+
+
+
+
Controls for data that cannot be modified in multiple entries at once
+(e.g. file attachments) are disabled. Such data will not be modified.
KeePass supports various different dialog banner styles. These styles are
+independent from the operating system and can freely be used on all systems.
In this dialog you can specify a URL, from/to which data is read/written.
+
+
By default, KeePass supports FTP, HTTP, HTTPS
+and WebDAV. More protocols may be available on your system
+(if specific providers are installed).
+
+
The IOProtocolExt plugin adds support for
+SCP, SFTP and FTPS.
+
+
Cloud storage:
+If you want to store your database file in a cloud storage:
+for most cloud storages, there is an integration with the local file system
+available (i.e. you can access your stored files using Windows Explorer).
+For example, Dropbox, Microsoft OneDrive and Google Drive provide such
+an integration.
+If such an integration is available, it is recommended that you access
+your database file this way; this often works better than accessing it
+via a protocol like FTP or WebDAV.
+If no such integration is available and your cloud storage also is not
+accessible via a standard protocol, a specialized KeePass
+plugin
+for this cloud storage might be available.
+
+
+
+
+
+Example: Using FTP Server
+
+
In order to load/save your database from/to an FTP server, you first need to
+upload the database file to the server manually. This only needs to be done once.
+
+
Then start KeePass and go 'File' → 'Open' → 'Open URL...'.
+Enter the full database path on the server and don't forget the ftp:// prefix!
+This prefix is required, otherwise KeePass doesn't know which protocol to use.
+Enter the FTP credentials and click [OK]. KeePass will download the file and open it.
+
+
KeePass can remember the FTP credentials, if you wish. You can choose between remembering
+everything (user name and password), partially (user name only) and not remembering
+the credentials at all.
+
+
When you press the 'Save' button, KeePass will automatically upload the new
+database file to the server (same location as before, i.e. overwriting the previous
+one).
The program is distributed under the
+terms of the GNU General Public License version 2 or later.
+
+
For acknowledgements and licenses of components/resources/etc., see the
+Acknowledgements page.
+
+
+
+
+
+
GNU GENERAL PUBLIC LICENSE
+
+Version 2, June 1991
+
+
+
+Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+
+
Preamble
+
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+
+
+
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+
+
+0.
+ This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+
+
+1.
+ You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+
+
+2.
+ You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+
+
+
+
+ a)
+ You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+
+
+ b)
+ You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+
+
+ c)
+ If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+
+
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+
+
+3.
+ You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+
+
+
+
+
+
+
+ a)
+ Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+
+
+ b)
+ Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+
+
+ c)
+ Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+
+
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+
+
+4.
+ You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+
+
+5.
+ You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+
+
+6.
+ Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+
+
+7.
+ If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+
+
+8.
+ If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+
+
+9.
+ The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+
+
+10.
+ If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+
+
NO WARRANTY
+
+
+11.
+ BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+
+
+12.
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+
+
END OF TERMS AND CONDITIONS
+
+
How to Apply These Terms to Your New Programs
+
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+
+one line to give the program's name and an idea of what it does.
+Copyright (C) yyyyname of author
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+
+
+Gnomovision version 69, Copyright (C) yearname of author
+Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
+type `show w'. This is free software, and you are welcome
+to redistribute it under certain conditions; type `show c'
+for details.
+
+
+
+The hypothetical commands `show w' and `show c' should show
+the appropriate parts of the General Public License. Of course, the
+commands you use may be called something other than `show w' and
+`show c'; they could even be mouse-clicks or menu items--whatever
+suits your program.
+
+
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+
+
+
+Yoyodyne, Inc., hereby disclaims all copyright
+interest in the program `Gnomovision'
+(which makes passes at compilers) written
+by James Hacker.
+
+signature of Ty Coon, 1 April 1989
+Ty Coon, President of Vice
+
+
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the
+GNU Lesser General Public License
+instead of this License.
+
Installation, uninstallation and security of KeePass 2.x plugins.
+
+
+
+
+
+Introduction
+
+
KeePass features a plugin framework. Plugins can provide additional
+functionality, like support of more file formats for import/export,
+network functionalities, backup features, etc.
If there are no explicit instructions how to install the plugin,
+follow these steps:
+
+
+
Download the plugin from the page above and unpack the ZIP file to a
+new folder.
+
In KeePass, click 'Tools' → 'Plugins' → button
+'Open Folder'; KeePass now opens a folder called 'Plugins'.
+Move the new folder (containing the plugin files) into the 'Plugins' folder.
+
Restart KeePass in order to load the new plugin.
+
+
+
+
+
To uninstall a plugin, delete the plugin files.
+
+
Linux:
+On some Linux systems, the mono-complete package may be
+required for plugins to work properly.
+
+
Portability:
+PLGX plugins are compiled by KeePass and the generated files are stored
+in a plugin cache, which by default is located in the
+user's application data directory (so, running a PLGX plugin by default
+creates files outside the KeePass application directory).
+These plugin cache files do not need to be copied to other systems though,
+because they are generated on each system and do not contain any user data.
+
+
+
+
+Security
+
+
What about the security of plugins? Can't malicious plugins
+'inject' themselves into KeePass?
+
+
If plugins can register themselves
+(i.e. have write access to the KeePass directory), they could also just
+replace the whole 'KeePass.exe' file. It's a problem of file access
+rights, not the plugin system.
+
+
If you worry about this,
+install KeePass as administrator into the program files directory
+(which is the default, typically in a folder in 'C:\Program Files').
+Afterwards, run KeePass and other applications only as normal user
+(without administrator privileges).
+
+
This solves the problem above. As the KeePass directory is write-protected
+for normal users, no other program can copy files into it. KeePass requires the plugins to
+be in the application directory. Therefore, plugins cannot inject themselves anymore.
+
+
If you use the portable package of KeePass or installed it into a different
+directory, you need to adjust the directory permissions yourself.
+
+
KeePass supports two plugin file formats: DLL and
+PLGX.
+A DLL plugin can be loaded directly, whereas KeePass needs to compile a PLGX
+plugin to a DLL plugin first, which is then stored in a
+plugin cache (see the section below).
+By default, the user has write access in the plugin cache directory
+(without administrator privileges).
+If you want to use a PLGX plugin, consider to adjust the access rights of the
+plugin cache directory to require administrator privileges for write access.
+
+
+
+
+
+Plugin Cache
+
+
PLGX plugins are compiled and stored in a plugin cache directory on the
+user's system. This cache highly improves the startup performance of KeePass.
+Old files are normally deleted from the cache
+automatically (this can be disabled in the plugins dialog).
+The cache does not contain any user data.
+
+
By default, the plugin cache is located in the user's application data
+directory. However, this can be overridden using the
+Application/PluginCachePath setting in the configuration file
+(this setting supports placeholders and environment variables).
+So, if you're for example using KeePass on a portable device and don't want
+the cache to be on the system, you could set the path to {APPDIR}\PluginCache.
+
+
+Do not relocate the plugin cache into the 'Plugins' folder of the
+KeePass application directory, because this can result in a severe
+performance degradation.
Application policy is a KeePass feature that enables administrators
+to prevent you from accidently compromising the security
+system of your company.
+
+
Operations like exporting entries to non-encrypted
+files or printing for example can be prevented effectively
+using the application policy.
+
+
If you are using KeePass at home, you can ignore the
+application policy (everything allowed anyway) or reduce
+your rights using the policy yourself, in order to avoid
+accidental leakage of sensitive information.
+
+
In order to prevent changing the policy after it has
+been specified, it is recommended to use an
+enforced
+configuration file.
+
+
+
+
+
+Help for Administrators
+
+
KeePass can be installed on a network drive and a policy
+can be enforced (like not permitting users to print the
+entry list).
+
+
The application policy enforcement is based on
+the mechanism how KeePass stores configuration settings. You
+first need to understand this method before you can continue
+creating a policy; see the
+configuration help page.
+
+
A policy-enforcing KeePass installation looks like
+the following: the KeePass application files are stored
+on the network drive and all users are starting KeePass from
+this drive (i.e. they only have links to the executable on
+the network drive). By using an enforced configuration file
+on the network drive
+(remember that this file overrides all others),
+a policy can be enforced.
+
+
In order to create such an installation, follow these steps:
+
+
+
Copy KeePass to a shared network drive that supports file
+access rights (like NTFS).
+
+
Create an enforced configuration file that enforces the
+application policy settings that you wish.
+
+
Adjust the file access rights: allow users only to read and
+execute all KeePass files, no write access.
+
+
+
+
+
+
+
+
+Policy Security
+
+
Recall what the policy mechanism looks like: KeePass and the
+configuration file are stored on the network drive. If you
+grant your users free access to the Internet or allow them
+to insert CD-ROMs/DVDs/USB-sticks, nothing prevents
+a user to download a separate copy of KeePass and run it. In
+this case the policy isn't enforced, as the downloaded KeePass
+doesn't know anything of the enforced configuration file on the network
+drive.
+
+
Policy enforcement therefore only is effective if your users
+really use the KeePass version installed on the network drive.
When downloading KeePass, you have the choice between 3 different packages:
+
+
+
KeePass-2.xx-Setup.exe: An installer program for Windows.
+
KeePass-2.xx.zip: A KeePass ZIP package (portable version).
+
KeePass-2.xx-Source.zip: The source code.
+
+
+
The installer and the portable version are described in detail below.
+
+
The source code package contains everything you need to compile KeePass.
+It includes the C#/C++ source code and header files, resource files,
+sources for building the installer, etc.
+
+
+
+
Updating KeePass:
+When a new KeePass version has been released, you can update your existing KeePass
+installation, without losing any configuration settings. The steps are
+depending on which package you are using (installer or portable), see below.
+
+
Translations should also be updated when you install a new KeePass version.
+You can find the latest translation files here:
+KeePass Translations.
+
+
+
+
+Installer program (KeePass-2.xx-Setup.exe file)
+
+
The KeePass development team provides an installer, which copies KeePass
+to your hard disk, creates shortcuts in the start menu and associates
+KDBX files with KeePass, if desired.
+
+
Additionally, KeePass is automatically configured to store its settings in
+the application data directory of the current user.
+This way multiple users can use one KeePass
+installation without overwriting each other's settings (each user has his
+own configuration file).
+The setup program must run with administrative
+rights, however KeePass runs fine without administrative rights once it
+is installed.
+
+
Installation:
+To install KeePass, run the KeePass-2.xx-Setup.exe file
+and follow the wizard.
+
+
Updating:
+Run the KeePass-2.xx-Setup.exe file.
+You do not need to uninstall the old version first.
+Your configuration options will not be lost.
+
+
Uninstallation:
+In order to uninstall KeePass, run the uninstallation program, which is
+accessible by a shortcut in the start menu folder of KeePass, or in
+the program section of the system control panel. If you also want
+to remove your configuration settings, you need to delete the configuration
+file in the application data directory of your user profile, see
+Configuration.
+
+
Silent Installation:
+The KeePass installer KeePass-2.xx-Setup.exe supports command line
+switches for silent installation, i.e. the program gets installed without
+asking the user for target directory or association options. The default settings
+of the installer are used.
+
+
The /SILENT command line switch performs a silent
+installation and shows a status dialog during the setup process. No questions
+will be asked though.
+
+
The /VERYSILENT command line switch performs a silent
+installation and does not show a status dialog during the setup process.
+
+
Destination Path:
+The installer allows to choose the destination path to which KeePass is
+installed.
+However, when the installer detects an existing KeePass installation, it
+assumes that the user wants to perform an upgrade and thus doesn't
+display the destination path selection page; the old version will be overwritten
+by the new version.
+If you want to move an existing KeePass installation to a different path,
+first uninstall the old version; the installer of the new version will then
+display the destination path selection page again.
The portable version can be carried around on portable devices (like USB
+sticks) and runs on any computer directly from the device, without any
+installation.
+It doesn't store anything on your system (in contrast to
+the setup package, see above). KeePass doesn't create any new
+registry keys and it doesn't create any configuration files in your Windows
+or application data directory of your user profile.
+
+
Make sure that KeePass has write access to
+its application directory. Otherwise, if it doesn't have, it'll attempt
+to store the configuration options (nothing security-relevant though) into the
+application data directory of the currently logged on user.
+For more about that, see this page:
+Configuration.
+
+
Installation:
+KeePass does not need to be installed. Just download the ZIP package, unpack
+it with your favorite ZIP program and KeePass is ready to be used. Copy it to
+a location of your choice (for example onto your USB stick); no
+additional configuration or installation is needed.
+
+
Updating:
+Download the latest portable package of KeePass, unpack it
+and copy all new files over the old ones. Your configuration settings will not
+be lost (the settings are stored in the KeePass.config.xml file,
+which won't be overwritten, because KeePass ZIP packages don't
+include a KeePass.config.xml file).
+
+
Uninstallation:
+Simply delete the KeePass folder.
+
+
+
+
+
+Running KeePass under Mono (Linux, MacOS, BSD, ...)
+
+
In addition to Windows, KeePass 2.x runs under Mono,
+i.e. Linux, MacOS, BSD, etc.
+
+
Links to all supported packages can be found on the
+Downloads page.
+
+
+
Debian/Ubuntu Linux:
+Install the keepass2 /
+KeePass 2.x for Debian/Ubuntu Linux package (e.g. using APT).
+A link to a page with more information about this package can be found on the
+downloads page.
+
+
+
Fedora Linux:
+Install the keepass package
+(from the Fedora repository; link on the downloads page).
+
+
+
OpenSUSE Linux:
+Install the keepass package
+(from the OpenSUSE Mono repository; link on the downloads page).
+
+
+
Gentoo Linux:
+Install the keepass package
+(from the Gentoo Linux repository; link on the downloads page).
+
+
+
Arch Linux:
+Install the keepass package
+(from the Arch Linux repository; link on the downloads page).
+
+
+
MacOS:
+Install the KeePass 2.x for MacOS package
+(link on the downloads page).
+
+
+
FreeBSD:
+Install the keepass package
+(from the FreeBSD ports tree or binary pkg repository; link on the downloads page).
+
+
+
Other Unix-like systems:
+In order to run KeePass, follow these steps:
+
+
Install Mono ≥ 2.6 (older versions will not work and are
+not supported). Depending on your platform, the packages to install are called
+mono-stable, MonoFramework,
+mono-devel or mono-2.0-devel; see
+the Mono project page,
+if you are unsure which packages to install.
+
+
On some platforms, the Windows Forms implementation (System.Windows.Forms)
+is offered as a separate package.
+KeePass requires this package; so if you see one, install it, too.
+
+
On some platforms, the Runtime namespace (System.Runtime)
+is offered as a separate package.
+KeePass requires this package; so if you see one, install it, too.
+
+
If you want to use auto-type on Linux/MacOS/BSD/etc., you additionally
+need the xdotool package.
+
+
Download the portable version of KeePass (ZIP package)
+and unpack it to a location of your choice.
+
+
When being in the KeePass directory, run the command line
+"mono KeePass.exe". Alternatively, right-click onto
+the KeePass.exe file, choose "Open with Other Application"
+and type in mono as custom command.
+
+
+
For the last step you might want to create a shortcut
+or shell script file with this command line (use an absolute path to
+KeePass.exe, if the shortcut / shell script file is in a
+different location).
+
+
Clipboard:
+On some systems, Mono's clipboard routines don't work properly.
+In this case, install the xsel and xdotool packages.
+If these are installed, KeePass uses them for clipboard operations.
+
+
Global Auto-Type:
+In order to use global auto-type,
+you need to create an appropriate system-wide hot key. This only needs to be done
+manually once. KeePass performs global auto-type when it's invoked with
+the --auto-typecommand line option.
+
+
Some examples how to create a system-wide hot key for global auto-type,
+for different operating systems:
+
+
+
KDE.
+On Linux systems with KDE, the hot key can be created in Computer
+→ System Settings → Shortcuts and Gestures:
+in this dialog, go Edit → New → Global Shortcut →
+Command/URL, specify the shortcut on the Trigger tab
+and enter
+mono /YourPathToKeePass/KeePass.exe --auto-type
+into the Command/URL field on the Action tab.
+
+
+
Ubuntu Linux ≥ 11.04 (Unity/GNOME).
+Open the dialog Keyboard Shortcuts in the system preferences,
+click the Add button, enter KeePass Auto-Type as name
+and
+mono /YourPathToKeePass/KeePass.exe --auto-type
+as command, then click [Apply]. Click on Disabled of the newly
+created item (such that the text 'New shortcut...' appears),
+press Ctrl+Alt+A, and close the dialog.
+
+
+
Ubuntu Linux ≤ 10.10 (GNOME).
+
+
Press Alt+F2,
+enter gconf-editor and click [OK].
+
Navigate to apps → metacity → keybinding_commands.
+
Double-click one of the command_i items, enter
+mono /YourPathToKeePass/KeePass.exe --auto-type
+and click [OK].
+
Click the global_keybindings node on the left.
+
Double-click the appropriate run_command_i item
+(for example, when you've used command_5 in the previous steps,
+double-click run_command_5 now) and specify the hot key of your
+choice. For example, to use Ctrl+Alt+A
+as hot key, you'd enter <Control><Alt>a.
+
+
+
+
+
Important: for global auto-type, the version of the xdotool package
+must be 2.20100818.3004 or higher! If your distribution only offers an
+older version, you can download and install the latest version of the
+package manually, see the xdotool website.
+
+
Auto-Type on Wayland:
+If you want to use auto-type on a system with a Wayland compositor,
+see the Auto-Type on Wayland page.
+
+
AES-KDF:
+For fast key transformations
+using AES-KDF, make sure that the libgcrypt library is installed.
+
+
Argon2:
+For fast key transformations
+using Argon2, make sure that the libargon2 library is installed.
+
+
Plugins:
+On some Linux systems, the mono-complete package
+may be required for plugins to work properly.
+
+
TLS 1.2:
+For TLS 1.2 support, Mono 4.8.0 or higher (or .NET Framework 4.5 or higher)
+is required.
+
+
Fonts:
+On some Linux systems, the ttf-mscorefonts-installer package
+may be required.
+
+
+
+
+
+
+
+Running KeePass under Wine (Linux, MacOS, BSD, ...)
+
+
Although you can run KeePass 2.x more or less natively on Unix-like systems
+using Mono (see above), the user interface does not always look pretty.
+Some users therefore prefer running KeePass 2.x under Wine.
+
+
In order to run KeePass 2.x under Wine, follow these steps:
+
+
+
Make sure that Wine is installed.
+Typically the package to install is called wine.
Download the latest portable package of KeePass 2.x (ZIP file) and unpack it
+into some directory of your choice.
+
Run wine KeePass.exe.
+
+
+
Theme.
+By default, Wine uses the classic Windows theme. If you prefer some other
+theme, you can install it in 'Applications' → 'Wine' → 'Configure Wine' →
+tab 'Desktop Integration'.
+Links to themes can for instance be found on
+Wikipedia: Windows XP visual styles.
+
+
Auto-Type.
+Wine currently does not implement all Windows API functions required for
+auto-type, i.e. auto-type does not work when running KeePass under Wine.
+
+
+
+
+
+
+
+
+
+Migrating from KeePass 1.x to 2.x
+
+
In order to migrate from KeePass 1.x to 2.x, follow these steps:
+
+
+
Install KeePass 2.x.
+If you're using the installer, make sure that the component
+'Native Support Library' is being installed
+(by default this component is enabled).
+
Run KeePass 2.x and create a new KDBX database file (via 'File' →
+'New').
+
Import your old KDB database file into your new KDBX database file
+(via 'File' → 'Import', file format 'KeePass KDB (1.x)').
+
+
+
If everything works fine, you can delete your old KeePass 1.x
+installation. The old KDB database file also isn't required anymore,
+but you may want to keep it as a backup.
KeePass 2.x features a powerful, built-in synchronization mechanism.
+Changes made in multiple copies of a database file can be merged safely.
+
+
After synchronizing two files A and B, both A and B are up-to-date
+(i.e. KeePass saves the merged data to both locations when performing
+a synchronization).
+
+
Requirements.
+
+
If the files to be synchronized are accessible via a protocol that
+KeePass supports by default (e.g. files on a local hard disk or a network
+share, FTP, HTTP, HTTPS, WebDAV, ..., see the page
+'Loading/Saving From/To URL' for details),
+then no plugins/extensions are required.
+
+
If one of the files to be synchronized should be accessed via
+SCP, SFTP or FTPS, you need the
+IOProtocolExt
+plugin, which adds support for these protocols to KeePass.
+
+
If one of the files to be synchronized is stored in a cloud storage:
+for most cloud storages, there is an integration with the local file system
+available (i.e. you can access your stored files using Windows Explorer).
+For example, Dropbox, Microsoft OneDrive and Google Drive provide such
+an integration.
+If such an integration is available, it is recommended that you access
+your database file this way; this often works better than accessing it
+via a protocol like FTP or WebDAV.
+If no such integration is available and your cloud storage also is not
+accessible via a standard protocol, a specialized KeePass
+plugin
+for this cloud storage might be available.
+
+
+
+
+
+
+Invoking a Synchronization
+
+
There are multiple ways how a synchronization can be invoked:
+
+
+
Manually.
+A synchronization can be started manually by navigating to
+'File' → 'Synchronize' and clicking 'Synchronize with File'
+or 'Synchronize with URL' (depending on whether the file to be synchronized
+with is stored on a local drive / network share or on a server accessible via a URL).
+If you've previously opened or synchronized with the target file, you can
+also simply point on 'Recent Files' (in the 'Synchronize' menu)
+and select the file.
+Manual synchronization is only possible when the currently opened database
+is a local file
+(files on a network share are here considered to be local files);
+when you've opened a file from a server using a URL,
+the 'Synchronize' menu is disabled.
+
+
Command 'Save'.
+When invoking the 'Save' command, KeePass checks whether the file on disk/server
+has been modified while you were editing it. If it has been modified,
+KeePass prompts whether you want to overwrite or synchronize with the file.
+Note this applies only to the 'Save' command, not the 'Save As' command.
+See the page
+'Multiple Users' for details
+(section 'KeePass 2.x: Synchronize or Overwrite').
+
+
Triggers.
+In more complex situations you can use the synchronization trigger action.
+See the page
+'Triggers' for details.
+
+
Scripting.
+In order to perform a synchronization without opening KeePass,
+the synchronization command of KPScript can be used. See the KPScript
+help page
+'Single Command Operations'
+for details.
+
+
+
+
+
+
+Technical Details
+
+
The synchronization algorithm is rather complex and it would take
+many pages to describe in detail how it is working.
+Developers interested in this can have a look into the KeePass source code.
+Here are the most important properties of the synchronization algorithm:
+
+
+
In order to decide which copy of an object is the latest one,
+KeePass mainly uses the last modification time of the object
+(which KeePass updates automatically each time the object is changed).
+
The synchronization is performed on entry level. This e.g. means that
+a combination of user name / password is always consistent
+(synchronization on field level will not be implemented, because
+combinations could become inconsistent with this).
+
In case of parallel updates and collisions, KeePass tries to store
+all information in an appropriate place. For example, when you have an
+entry E in a database A, make a copy B of A, change E in B, change E in A,
+and synchronize A and B, then E in A is treated as current and the changes
+made to E in B are stored as a history entry of E (see the tab page 'History'
+in the entry dialog), i.e. the changes made in B are not lost.
+
+
+
+
+
+
+Advanced Synchronization Schemes
+
+
+
Local↔Master Synchronization.
+A synchronization scheme that prevents data loss when database files are
+overwritten by other applications (e.g. cloud storage service software),
+using a trigger.
+
+
Plugins.
+There are plugins for more complex synchronization schemes,
+for example to synchronize only a subset of the entries.
To install a user interface translation, follow these steps:
+
+
+
Download the translation ZIP file from the
+Translations page
+and unpack it (to the current directory).
+
In KeePass, click 'View' → 'Change Language' → button
+'Open Folder'; KeePass now opens a folder called 'Languages'.
+Move the unpacked file(s) into the 'Languages' folder.
+
Switch to KeePass, click 'View' → 'Change Language',
+and select your language. Restart KeePass.
+
+
+
+
+
Note.
+For moving the unpacked file(s) (in step 2), we recommend to use Windows Explorer.
+Other file managers may have problems with access rights.
+
+
+
+
+
+Additional Localized Content
+
+
For some languages (not for all) there is additional localized content available,
+like translated help files, tutorials, etc. All this content is available
+from the same page where the user interface translations are downloadable:
+Translations page.
+
+
If you'd like to create some translated content yourself, please first ask
+the KeePass team if the thing you're planning to create isn't in work already by
+someone else. If not, you'll make a lot of people very happy by creating translated content!
KeePass features a powerful event-condition-action trigger system.
+With this system, workflows can be automated. For example, you could define
+a trigger that automatically uploads your database to a backup server after
+saving the file locally.
+
+
A trigger starts to run when any of the specified events matches.
+When this happens, the conditions are checked. If all conditions
+are fulfilled, the actions of the trigger are performed.
+Actions are performed consecutively; if one action fails, typically the execution
+of the event is aborted (i.e. all following actions aren't performed).
+
+
A trigger must be both enabled and on in order to get executed.
+The enabled state is set by the user; a disabled trigger has no
+function. The on state is dependent on the state of the program. By
+enabling the 'Initially On' option, a trigger is on by default.
+If you enable the option 'Turn off after executing actions', the trigger
+will be off after running once. There are actions to turn triggers on and off,
+i.e. triggers can turn themselves and other triggers on and off, which allows
+to define a complex state-dependent system of triggers.
+
+
Most strings in the trigger system are Spr-compiled, i.e.
+placeholders
+(except state-changing ones), environment variables, etc. can be used.
+
+
Sensitive Data.
+Some trigger events/conditions/actions support fields for potentially
+sensitive data (for instance the password field of the 'Open database file'
+action). As triggers are saved in a plain text
+configuration file,
+it is generally not recommended to directly enter sensitive data in trigger fields.
+If a database is open when the trigger runs, the sensitive data can be
+stored in the database and the trigger field can point to the data using
+a field reference
+(which KeePass resolves when evaluating the field).
+In this way, only the field reference appears in the configuration file
+and the actual sensitive data is stored in the encrypted database file.
+
+
I/O Connection Properties.
+Most trigger actions having a file path/URL parameter only allow
+specifying the path/URL and possibly credentials (user name and password)
+for accessing the file; advanced connection properties (like
+timeout, user agent, passive mode, etc.) cannot be specified here.
+If advanced connection properties are required, open the file once
+(using 'File' → 'Open') with the desired connection properties.
+This will create an item in the 'Open Recent' file list
+(which remembers connection properties).
+When a trigger action is executed, KeePass loads the connection properties
+from the corresponding item (same path/URL) in the 'Open Recent' file list.
+
+
+
+
+
+Events
+
+
+
+
Application initialized:
+This event occurs when KeePass has finished initializing, but didn't perform
+any main window automations (like opening a default database) yet.
+
+
Parameters: None.
+
+
+
Application started and ready:
+This event occurs when KeePass has started up, performed main window
+automations (like opening a default database) and is ready for user actions.
+
+
Parameters: None.
+
+
+
Application exit:
+This event occurs when KeePass is about to exit. Databases have been closed
+already, but resources (like fonts, ...) are still valid.
+
+
Parameters: None.
+
+
+
Opened database file:
+This event occurs right after a database file has been opened successfully.
+
+
File/URL: An optional event filter. If a filter is specified
+(i.e. something is entered in 'File/URL - Filter'), the trigger
+is only evaluated, if the filter matches the actual database file path.
+For example, if you enter F:\ as filter string and specify
+'Starts with' as comparison method, the trigger will only be evaluated,
+if the database (that has just been opened) path starts with F:\.
+
+
+
Saving database file:
+This event occurs right before a database file is saved.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Saved database file:
+This event occurs right after a database file has been saved successfully.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Synchronizing database file:
+This event occurs right before a database file is synchronized
+with another database file.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Synchronized database file:
+This event occurs right after a database file has been synchronized
+with another database file.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Closing database file (before saving):
+This event occurs right before a database file is closed.
+It occurs before KeePass saves the database automatically or asks the
+user whether to save unsaved changes.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Closing database file (after saving):
+This event occurs right before a database file is closed.
+The database file already was saved automatically or unsaved changes were
+saved/discarded depending on the user's choice.
+
+
Parameters: See 'Opened database file' event.
+
+
+
Copied entry data to clipboard:
+This event occurs when entry data (user name, password, ...) is copied
+to the Windows clipboard.
+
+
Value: An optional value (copied data) filter.
+
+
+
+
+
Time - Periodic:
+This event occurs at user-defined intervals.
+The event is raised only if KeePass is not occupied
+with a different task (like showing a subdialog).
+
+
Interval: Time span between the events, in seconds.
+
Restart timer on KeePass activity:
+If this option is turned on, a KeePass activity
+(user interaction, automation, subdialog, plugin activity, ...)
+causes a restart of the timer, i.e. one full interval must
+pass for the next event.
+
+
+
Custom toolbar button clicked:
+This event occurs when the user clicks a custom toolbar button. Custom
+toolbar buttons can be created using the 'Add custom toolbar button'
+trigger action.
+
+
ID: ID of the toolbar button that must have been clicked (see action).
+
+
+
+
+
+
+
+
+Conditions
+
+
+
+
Environment variable:
+
+
Name: Name of the environment variable to check. The name must not
+be enclosed in percent (%) characters.
+
Value: The value that the specified environment variable must have
+for the condition to be true.
+
+
+
String:
+
+
String: A string (KeePass Spr-compiles this, i.e. you can e.g. use
+placeholders).
+
Value: The value that the specified, evaluated string must have
+for the condition to be true.
+
+
+
File exists:
+
+
File: The file that must exist in order for the condition to be true.
+
+
+
Remote host is reachable (ping):
+
+
Host: Host to send the ping to.
+
+
+
Database has unsaved changes:
+Evaluates to true, if the specified database has unsaved changes.
+
+
Database: The database to check for unsaved changes.
+
+
+
+
+
+
+
+
+Actions
+
+
+
+
Execute command line / URL:
+The file/URL and arguments are parsed by the Spr engine before they
+are sent to the shell, i.e. generic and database-dependent
+placeholders can
+be used.
+If you want to use built-in shell commands, like COPY, please
+see: Executing Built-In Shell Commands.
+
+
File/URL: The string to be executed by the shell.
+
Arguments: Optional. If 'File/URL' points to an executable
+file, this string is sent to the executable as command line argument(s).
+
Wait for exit: If this option is checked, KeePass waits indefinitely
+for the started process to exit.
+
Window style: Specifies how the main window of the executed
+file/URL should be displayed. Not all applications respect this setting.
+
Verb: Specifies the action to be performed. An empty string means
+to use the default verb. Some applications support additional verbs (e.g.
+"Print" to print the specified document).
+When using the verb "RunAs", the application is executed with
+administrative rights (this may require a confirmation via the UAC
+dialog).
+
+
+
Change trigger on/off state:
+
+
Trigger name: Name of the target trigger whose on/off state
+should be changed. If this field is left empty, the target trigger is
+the current one.
+
New state: Specifies the new state of the target trigger.
+
+
+
Open database file:
+Open a KDBX database file (in a new tab). If the given database file is opened
+already, KeePass brings it to the foreground.
+
+
File/URL: Path of the database file to open. If it is a URL,
+the protocol (prefix) must be specified.
+
I/O Connection - User Name / Password: Optional credentials that are used
+for connecting to the target file system (for example FTP account user name /
+password). These credentials are not used to decrypt the database.
+
Password / Key file / User account: Optional credentials that are used
+to decrypt the database file.
+
+
+
Save active database:
+Save the currently active database. This action always saves the database,
+even if there are no unsaved changes. To only save if there are unsaved changes,
+use the 'Database has unsaved changes' trigger condition.
+
+
Parameters: None.
+
+
+
Synchronize active database with a file/URL:
+Synchronize the currently opened and active database with a file.
+
+
File/URL: Path of the database file to synchronize with.
+If it is a URL, the protocol (prefix) must be specified.
+
I/O Connection - User Name / Password: Optional credentials that are used
+for connecting to the target file system (for example FTP account user name /
+password). These credentials are not used to decrypt the database.
+
+
+
Import into active database:
+Import a file into the currently opened and active database.
+
+
File/URL: Path of the source file to import.
+If it is a URL, the protocol (prefix) must be specified.
+
File format: Specifies the import format (see the import
+dialog for possible values).
+
Method: Specifies the behavior for groups/entries that exist
+in both the currently active database and the import file.
+
Password / Key file / User account: Optional credentials that are used
+to decrypt the import file, if required.
+If no credentials are specified, but the import file is encrypted, KeePass
+shows a key prompt dialog.
+
+
+
Export active database:
+Export the currently opened and active database to a file.
+
+
File/URL: Path of the target file to export to.
+If it is a URL, the protocol (prefix) must be specified.
+
File format: Specifies the export format (see the export
+dialog for possible values).
+
Filter - Group: Specifies the path of the group to export
+(optional; an empty string means the whole database).
+The path must start with the character used as separator, and the
+name of the root group of the database must not be specified.
+For example, to export a group 'B' that is a subgroup of the group
+'A', specify /A/B as group path.
+
Filter - Tag: Export only the entries that have the
+specified tag (optional parameter).
+
+
+
Close active database:
+Close the currently active database.
+
+
Parameters: None.
+
+
+
Activate database (select tab):
+
+
File/URL: Path of the database to activate. This may be a
+substring of the actual database path. For example, specifying
+MyDatabase would match a database
+C:\Documents\KeePass\MyDatabase.kdbx.
+
Filter: Specifies the databases that are being
+considered. If 'Triggering' is selected and the 'File/URL' field is empty,
+the database that triggered the event is activated.
+
+
+
Wait:
+Wait for the specified amount of time.
+
+
Time span: Number of milliseconds to wait.
+
+
+
Show message box:
+Displays a message box.
+
+
Main instruction: First line of the message text
+(which is possibly displayed using a stronger font).
+
Text: Message text.
+
Icon: The icon that is displayed next to the message text.
+
Buttons: Specifies the available buttons.
+
Default button: The button that initially has the focus.
+
Action - Condition: Specifies the condition that must be fulfilled
+for the following action to be performed. For example, if 'Button OK/Yes' is
+selected, the action is only performed if the user clicks the 'OK' or
+'Yes' button of the message box.
+
Action: The action to perform after showing the message box.
+
Action - Parameters: Parameters for the specified action. For
+example, if executing a command line / URL is specified as action, this field
+must contain the command line / URL.
+
+
+
Perform global auto-type:
+Execute global auto-type (like pressing the global auto-type hot key).
+
+
Parameters: None.
+
+
+
Perform auto-type with selected entry:
+Executes auto-type with the currently selected entry as context.
+
+
Sequence: The keystroke sequence to send. If this field is empty,
+the default sequence is used.
+
+
+
Show entries by tag:
+Search all entries having the specified tag and show them in the
+entry list of the main window.
+
+
Tag: Tag that the entries must have.
+
+
+
Add custom toolbar button:
+Add a custom button to the toolbar in the main window.
+
+
ID: ID of the toolbar button (see the event handler).
+
Name: Text that is shown on the toolbar button.
+
Description: Text that is shown in the tooltip of the button.
+
+
+
Remove custom toolbar button:
+Remove a custom button from the toolbar in the main window.
+
+
ID: ID of the toolbar button (see the event handler).
KDBX files (created by KeePass 2.x) and KDB files (created by
+KeePass 1.x) are not compatible. KeePass 2.x supports
+a lot of features, which 1.x doesn't support, therefore these formats
+are incompatible.
+
+
But KeePass 2.x can import KDB files created by KeePass 1.x. For
+this, you first need to create a new database in KeePass 2.x
+and then import the 1.x database using 'File' → 'Import'.
+
+
By 'File' → 'Export', KeePass 2.x can also export data to
+1.x KDB files. However note that not all 2.x fields
+are supported by 1.x (i.e. the export is lossy).
XML Replace is a powerful feature that modifies a database by manipulating
+its XML representation.
+
+
It creates a KeePass 2.x XML DOM of the current database
+in memory, performs the operation specified by the user
+(e.g. remove nodes or replace text), loads the modified XML tree,
+and merges the current database with the modified database.
+
+
+This is a feature for experts. Use with caution!
+
+
XML Replace can be invoked via 'Tools' → 'Database Tools' →
+'XML Replace'.
+
+
Information about XPath and regular expressions can be found on the
+Search help page.
+
+
KeePass protects history entries; XML Replace cannot be used to modify
+these. Furthermore, any changes to database properties
+(database name/description, etc.) may be ignored.
+
+
+
+
+
+Examples
+
+
+
+
+
+
+
Replace text in all entry titles and notes
+
Select nodes:
+
//Entry/String[(Key = 'Title') or (Key = 'Notes')]/Value
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
TheTextToFind
+
Replace with:
TheReplacement
+
Within all entry titles and notes, this
+replaces all occurences of TheTextToFind by
+TheReplacement.
+
+
+
+
+
+
+
+
Replace all HTTP URLs by HTTPS URLs
+
Select nodes:
+
//Entry/String[Key = 'URL']/Value
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
^http:
+
Replace with:
https:
+
Options:
☑ Regular expressions
+
Within all entry URL fields, this replaces all
+HTTP URLs by HTTPS URLs.
+
+
+
+
+
+
+
+
Replace group icons
+
Select nodes:
+
//Group/IconID
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
^48$
+
Replace with:
36
+
Options:
☑ Regular expressions
+
This assigns the ZIP package icon to all groups that
+currently have a closed folder as icon.
+
+All icon IDs can be found in the icon picker dialog.
+
+
+
+
+
+
+
+
+
Delete entry strings by name
+
Select nodes:
+
//Entry/String[Key = 'TheName']
+
Action:
Remove nodes
+
Removes all entry strings named
+TheName.
+
+
+
+
+
+
+
+
Delete entry attachments by name extension
+
Select nodes:
+
//Entry/Binary/Key[(string-length(.) >= 4) and (substring(., string-length(.) - 3) = '.jpg')]/..
+
Action:
Remove nodes
+
Removes all entry attachments that have a name
+ending in '.jpg'.
+
+
+
+
+
+
+
+
Reset background colors
+
Select nodes:
+
//Entry/BackgroundColor
+
Action:
Remove nodes
+
Sets the background color of all entries to the
+default (transparent/alternating).
+
+
+
+
+
+
+
+
Disable auto-type for entries with empty fields
+
Select nodes:
+
//Entry/String[((Key = 'UserName') or (Key = 'Password')) and (Value = '')]/../AutoType/Enabled
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
True
+
Replace with:
False
+
Disables auto-type for all entries that have an empty
+user name field or an empty password field.
+
+
+
+
+
+
+
+
Convert {DELAY= to upper-case
+
Select nodes:
+
//DefaultSequence | //KeystrokeSequence
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
{DELAY=
+
Replace with:
{DELAY=
+
Converts all {DELAY= codes
+within auto-type sequence overrides and associations to upper-case
+(by default the case sensitivity option is turned off, thus the 'Find what'
+text matches all cases).
+
+In KeePass 2.x, placeholders are case-insensitive. However, this XML Replace operation
+may be useful as preparation for the following example (which matches
+{DELAY= in a case-sensitive way).
+
+
+
+
+
+
+
+
Prepend {DELAY=50} to all sequences without a {DELAY=
Prepends a {DELAY=50} to all auto-type
+sequence overrides and associations that do not contain any
+{DELAY= already and are not empty.
+
+Note that the node selection is case-sensitive (independent of the data
+case sensitivity option), thus you need to ensure that all
+{DELAY= codes are upper-case before performing this operation.
+This can e.g. be done using the XML Replace operation mentioned
+above.
+
+
+
+
+
+
+
+
Change {DELAY= values
+
Select nodes:
+
//DefaultSequence | //KeystrokeSequence
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
\{DELAY=[\d\s]*\}
+
Replace with:
{DELAY=50}
+
Options:
☑ Regular expressions
+
Sets the values of all {DELAY= codes
+within auto-type sequence overrides and associations to 50.
+
+
+
+
+
+
+
+
Remove {DELAY=x} from all sequences
+
Select nodes:
+
//DefaultSequence | //KeystrokeSequence
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
\{DELAY=[\d\s]*\}
+
Replace with:
(Leave empty)
+
Options:
☑ Regular expressions
+
Removes all {DELAY=x} codes from
+all auto-type sequences.
+
+
+
+
+
+
+
+
Reset default sequences that contain {DELAY=
+
Select nodes:
+
//DefaultSequence[contains(., '{DELAY=')]
+
Action:
Remove nodes
+
If a sequence has been specified in the field
+'Override default sequence' (in the entry dialog) and it contains
+{DELAY=, the sequence is reset,
+i.e. the option 'Inherit default auto-type sequence from group' is activated.
Copies the entry URL into the title field of the
+entry (overwriting any existing data in the title field).
+
+If you want the entry URL to be copied only if the title field is empty,
+use the following for 'Select nodes':
+//Entry/String[(Key = 'Title') and (Value = '')]/..
+
+
+
+
+
+
+
+
Copy entry titles into empty user name fields
+
Select nodes:
+
//Entry/String[(Key = 'UserName') and (Value = '')]/..
Copies the entry title into the user name field of the
+entry, if this field is empty.
+
+
+
+
+
+
+
+
Ensure first line is not empty
+
Select nodes:
+
//Entry/String/Value
+
Action:
Replace data
+
Data:
Inner text
+
Find what:
(?s)^(\r?\n)
+
Replace with:
--$1
+
Options:
☑ Regular expressions
+
For all multi-line fields,
+this inserts '--' into the first line of the field value,
+if this line is empty and the value has at least two lines.
+Example:
+
+
Most options below are configured by directly editing the
+KeePass.config.xml configuration file. If you're planning to
+deploy a customized KeePass version, you should fully understand the
+KeePass configuration system,
+especially how to enforce some settings and leave others up to users.
+
+
Note that KeePass features a rich plugin framework. If there's no
+item in the XML file to configure what you're thinking about, you might
+want to write a plugin.
The state (enabled, disabled, visible, hidden) of several user interface
+(UI) elements can be specified using the UIFlags value
+of the UI node in the configuration file.
+This can be a bitwise combination of one or more of
+the following flags:
+
+
+
Flag (Hex)
Flag (Dec)
+
Description
+
0x0
0
+
Don't force any states (default).
+
0x1
1
+
Disable 'Tools' → 'Options' menu item.
+
0x2
2
+
Disable 'Tools' → 'Plugins' menu item.
+
0x4
4
+
Disable 'Tools' → 'Triggers' menu item.
+
0x8
8
+
Disable controls to specify after how many
+days the master key should/must be changed.
+
0x10
16
+
Hide password quality progress bars and information labels.
+
0x20
32
+
Disable 'Help' → 'Check for Updates' menu item.
+
0x40
64
+
Disable 'Tools' → 'Database Tools' → 'XML Replace' menu item.
+
0x80
128
+
Disable 'File' → 'Database Settings' menu item.
+
0x10000
65536
+
Hide built-in profiles in the
+password generator context menu of the entry editing dialog.
+
0x20000
131072
+
Show UI elements related to last access times.
+Note: Databases are not marked as modified when a last access time
+changes. Thus, when only last access times are changed and the user closes the
+database (without saving manually first and without a save forced e.g. by a trigger or plugin),
+the changes to the last access times are lost.
+
0x40000
262144
+
Do not display information dialogs when creating a new database.
+
0x80000
524288
+
Do not display auto-type obfuscation compatibility information dialogs.
+
0x100000
1048576
+
Do not clear the quick search terms list when closing/locking a database.
+Note: Even if this flag is set, the list is cleared when exiting
+KeePass. If you frequently perform the same searches, consider using
+tags or
+search profiles.
The value of UIFlags must be specified in decimal notation.
+
+
For example, if you want to disable the 'Options' and 'Check for Updates'
+menu items, you'd specify 33 as value for the UIFlags node
+(0x1 + 0x20 = 1 + 32 = 33).
+
+
+
+
+
+More Options
+
+
+
Configuration/Application/ConfigSave:
+If this option is set to false, KeePass does not save
+any configuration settings (i.e. the configuration is loaded normally,
+but changes to it are discarded when exiting KeePass).
+
+
Configuration/Application/ExpirySoonDays:
+Specifies the number of days within which entries are considered
+to expire "soon". The default value is 7.
+
+
Configuration/Application/HelpUrl:
+Specifies the URL that is opened for a help page.
+This overrides all other help sources (local and online).
+Spr-compiled;
+the relative help page path is inserted by {BASE}.
+
+
Configuration/Defaults/WinFavsBaseFolderName:
+For the 'Windows Favorites' export:
+name of the root folder; the default value is 'KeePass'.
+
+
Configuration/Defaults/WinFavsFileNamePrefix:
+For the 'Windows Favorites' export:
+prefix for the title of every favorite; the default value is an empty string.
+
+
Configuration/Defaults/WinFavsFileNameSuffix:
+For the 'Windows Favorites' export:
+suffix for the title of every favorite; the default value is an empty string.
+
+
Configuration/Integration/AutoTypeInterKeyDelay:
+Specifies the default delay (in ms) between two keypresses sent by auto-type.
+The minimum is 1 ms.
+Note that very small delays may result in target applications not being able
+to process the keypresses correctly.
+
+
Configuration/Integration/AutoTypeAbortOnWindows:
+This node may contain one or more Window nodes that
+specify disallowed auto-type target windows (the value of each node must
+be a target window filter).
+
+
For example, the following configuration disallows auto-typing into
+WordPad and LibreOffice Writer:
Configuration/Security/MasterKeyTries:
+Specifies how often the master key dialog appears when entering incorrect
+master keys. The default value is 3.
+
+
Configuration/Security/PreventScreenCapture:
+If this option is set to true, KeePass protects its windows
+against certain screen capture operations (on Windows 7 and higher;
+for details, see the
+SetWindowDisplayAffinity function).
+
+This may also prevent legitimate other software
+(accessibility-related tools like Windows Magnifier, remote desktop
+solutions, etc.) from seeing KeePass windows.
+
+
Configuration/Security/ProtectProcessWithDacl:
+If this option is set to true, KeePass protects its process
+with a discretionary access control list (DACL).
+
+Please note that this also blocks legitimate other software
+(accessibility-related tools like Windows Narrator, other security
+products like anti-virus programs or firewalls, tools providing user interface
+enhancements, etc.) from working with KeePass. Furthermore, various problems
+like application hangs, exceptions and crashes may occur.
+Therefore, this option is turned off by default and can only be turned on
+by manually editing the configuration file.
+It only works reasonably in very specific, limited usage scenarios
+and is not recommended for most users.
+This option works on Windows only and requires the KeePassLibC DLL
+(included in default installations and packages).
+
+
Configuration/UI/TrayIcon/ShowOnlyIfTrayedEx:
+If this option is set to true, the KeePass icon in the
+system tray is displayed only if the main window has been minimized
+to the tray.
+
+Turning on this option can result in denial-of-service problems.
+If you want to hide the KeePass icon, it is recommended to configure
+this in the system settings instead;
+see 'Customize the taskbar notification area'.
This documentation applies to KeePass 2.x plugins. 2.x plugins are fundamentally
+different from 1.x plugins. 1.x plugins cannot be loaded by KeePass 2.x.
Start your favorite IDE and create a new C# Class Library project
+(for the .NET Framework, not .NET Standard/Core).
+In this tutorial, the example plugin we're developing is called SimplePlugin.
+The first thing you need to do now is to add a reference to KeePass:
+go to the references dialog and select the KeePass.exe file
+(from the portable ZIP package).
+After you added the reference, the namespaces KeePass and
+KeePassLib should be available.
+
+
It is important that you reference an official KeePass.exe,
+not a development snapshot or own build, because otherwise your
+plugin will be incompatible with official KeePass builds.
+
+
All KeePass plugins need to derive from a base KeePass plugin class
+(Plugin in the KeePass.Plugins namespace).
+By overriding methods and properties of this class, you can customize
+the behavior of your plugin.
You can find a fully documented and extended version of this simple
+plugin on the KeePass plugins web page.
+
+
This plugin does exactly nothing, but it shows some important conventions
+already, which must be followed by all plugins:
+
+
+
The namespace must be named like the DLL file without extension. Our DLL
+file is named SimplePlugin.dll, therefore the namespace must
+be called SimplePlugin.
+
The main plugin class (which KeePass will instantiate when it loads your
+plugin) must be called exactly the same as the namespace plus "Ext".
+In this case: "SimplePlugin" + "Ext" = "SimplePluginExt".
+
The main plugin class must be derived from the KeePass.Plugins.Plugin
+base class.
+
+
+
The Initialize function is the most important one and you
+probably will always override it. In this function, you get an interface
+to the KeePass internals: an IPluginHost interface reference.
+Through this interface you can access the KeePass main menu, the currently
+opened database, etc. The Initialize function is called immediately
+after KeePass loads your plugin. All initialization should be done in this
+method (not in the constructor of your plugin class!). If you
+successfully initialized everything, you must return true. If
+you return false, KeePass will immediately unload your plugin.
+
+
A second function that you will need very often is the Terminate
+method:
+
+
public override void Terminate()
+{
+}
+
+
This function is called shortly before KeePass unloads your plugin. You cannot
+abort this process (it's just a notification and your last chance to clean up
+all used resources, etc.). Immediately after you return from this method, KeePass
+can unload your plugin. It is highly recommended to free all resources in this
+method (not in the destructor of your plugin class!).
+
+
We're almost done! We now need to tell KeePass that
+our file is a KeePass plugin. This is done by editing the Version Information Block
+of the file. Open the file version editing dialog (in Visual Studio 2005: right-click
+onto the project name → 'Properties' → button 'Assembly Information').
+All fields can be assigned freely except the Product Name field (for more information
+see Plugin Conventions). This field must be set to
+"KeePass Plugin" (without the quotes).
+
+
+
+
That's it! Now try to compile your plugin and copy the resulting DLL
+file into the KeePass directory. If you start KeePass and go to the plugins
+dialog, you should see your plugin in the list of loaded plugins.
+
+
+
+
+
+Providing Menu Items
+
+
Many plugins provide menu items (with subitems, if necessary)
+in prominent locations like the 'Tools' menu, the entry context menu, etc.
+Such a menu item can be supplied to KeePass by overriding the
+GetMenuItem method of your plugin class
+(which derives from the Plugin base class).
+In this method, the plugin can construct and return a ToolStripMenuItem,
+which KeePass will then show in the appropriate location.
+
+
Users should be able to associate the menu item with your plugin.
+Typically, plugins set the text of the menu item to the name of the plugin or
+a string that starts with the name of the plugin. For example, a plugin 'Abcd'
+that wants to provide one menu item only (for accessing the plugin options)
+could set the text of the menu item to 'Abcd Options'.
+If the plugin supports multiple commands, set the menu item's text to
+the plugin name (e.g. 'Abcd') and add a subitem for each command.
+
+
The GetMenuItem method should always construct and return
+a new ToolStripMenuItem. Do not cache the menu item
+or any of its subitems for
+later purposes (KeePass may invoke the GetMenuItem method
+multiple times and show the menu items in multiple places; if your plugin
+would cache a menu item, trying to show it in multiple places would
+result in problems, because a ToolStripMenuItem can have
+only one parent item).
+If you want to update the state of subitems (like disabling certain items
+or showing checkmarks), you can do this for instance
+in an anonymous method that handles the DropDownOpening
+event of the returned menu item (this way you do not need to remember
+menu item references manually); see
+SamplePlugin
+for an example.
+
+
KeePass takes ownership of the returned menu item (and its subitems).
+The plugin should not add or remove the item to/from any menu itself;
+KeePass will do this.
+
+
If your plugin does not provide a menu item in the location specified
+by the PluginMenuType parameter t,
+return null.
+
+
Example:
+
+
public overrideToolStripMenuItem GetMenuItem(PluginMenuType t)
+{
+ // Provide a menu item for the main location(s)
+ if(t == PluginMenuType.Main)
+ {
+ ToolStripMenuItem tsmi = newToolStripMenuItem();
+ tsmi.Text = "Abcd Options";
+ tsmi.Click += this.OnOptionsClicked;
+ return tsmi;
+ }
+
+ return null; // No menu items in other locations
+}
+
+private void OnOptionsClicked(object sender, EventArgs e)
+{
+ // Called when the menu item is clicked
+}
+
+
+
+
For an example how to create a menu item with subitems (and
+update their states dynamically), see the
+SamplePlugin
+example plugin.
+
+
+
+
+
+
+
+Plugin Conventions
+
+
File version information block:
+
+
KeePass uses the file version information block to detect if a DLL file is a
+KeePass plugin and retrieves information from it to show in the plugins dialog.
+The fields are used as follows:
+
+
+
Title: Should contain the full name of the plugin.
+
Description: Should contain a short description (not more than 5 lines)
+of your plugin.
+
Company: Should contain the author name of the plugin.
+
Product name: Must be set to "KeePass Plugin" (without
+the quotes).
+
Copyright: Not used by KeePass; freely assignable by the plugin.
+
Trademarks: Not used by KeePass; freely assignable by the plugin.
+
Assembly version: Should be set to the version of your plugin.
+
File version: Should be set to the version of your plugin. It is up
+to you how you are versioning your plugin builds, but it should be a scheme that
+allows version comparisons (by comparing the version components).
+Do not use asterisks for creating a version number at build time.
+
GUID: Not used by KeePass; freely assignable by the plugin.
+
+
+
Name, namespace and class name:
+
+
If you want to use the name "KeePass" as part of the name of
+your plugin, directly prepend/append a non-numeric prefix/suffix.
+For example, "KeePassSync" is ok, but "KeePass Sync" is not.
+
+
The namespace must be named like the DLL file without
+extension. For example, if the DLL file is named SecretImporter.dll,
+you must call the namespace SecretImporter.
+
+
The plugin class must be named like the namespace plus "Ext".
+For the SecretImporter plugin, this would be SecretImporterExt.
+
+
+
+
+
+Update Checking
+
+
The update check of KeePass ≥ 2.18 can also check for plugin updates.
+Update check support is optional; plugins don't have to support update
+checks.
+
+
In order to support update checks, plugin developers need to do the following:
+
+
+
Provide version information file.
+When an end-user invokes an update check, KeePass downloads a version information
+file, which specifies the current version numbers of one or more plugins.
+Every plugin author hosts an own version information file.
+The format of the version information file is described in detail below.
+
Let KeePass know.
+In order to be able to check the plugin's version, KeePass must know where
+your version information file is located. To let KeePass know,
+override the UpdateUrl string property of your plugin class
+(the one derived from Plugin)
+to return the full, absolute URL of your version information file.
+This should be an https:// URL
+(for backward compatibility, KeePass also supports http://
+and ftp://, but for security reasons https://
+should be used).
+
+
+
Plugin developers have to update their version information file each time
+they release new versions of their plugins.
+
+
Version information file format.
+
+
The file is a simple text file. It must be encoded using UTF-8 without
+a byte order mark (KeePass ≥ 2.21 supports UTF-8 BOMs in version information
+files, but for compatibility with KeePass < 2.21 it is recommended
+not to use a BOM).
+All line endings are supported.
+
The first line of the file must start with a separator character of
+your choice. The separator character may be any character,
+but it must not appear within plugin names and versions.
+Suggested is ':'.
+
Each of the following lines specifies a plugin name and its currently
+available version, separated by the separator character that was specified in
+the header line.
+
As plugin name, the value of the 'Title' field in the version information
+block of the plugin must be specified.
+For managed plugins, this is the value specified using the
+AssemblyTitle assembly attribute.
+
As version number, the value of the file version in the version information
+block of the plugin must be specified.
+For managed plugins, this is the value specified using the
+AssemblyFileVersion assembly attribute.
+Trailing .0 may be removed
+(e.g. specify 1.3 instead of 1.3.0.0).
+
The file must end with a line containing only the separator character.
+
You may optionally compress your version information file using GZip
+(note this is not the same as Zip). The file
+name must then end with ".gz".
+
+
+
Example. Let's assume you're developing two plugins: MyPlugin1
+(version 1.5) and MyPlugin2 (version 1.13.2.17). Then your version
+information file could look as follows:
+
:
+MyPlugin1:1.5
+MyPlugin2:1.13.2.17
+:
+
+
If you've developed multiple plugins, it is recommended to create one
+version information file, list all your plugins in this file and specify
+the URL of the file in all your plugins. When KeePass checks for updates,
+it'll download your version information file only once.
+This reduces network traffic and is faster than downloading a version information
+file for every plugin separately.
+
+
Signing. Since KeePass 2.34,
+you can optionally digitally sign your version information file using RSA / SHA-512.
+
+
An RSA key pair can for instance be generated like the following:
+
+
+
+All key lengths supported by RSACryptoServiceProvider
+are supported by KeePass (up to .NET 4.5 that is 384 to 16384 bits in 8 bit steps).
+We recommend at least 2048 bits; the main version information file
+(containing the KeePass version) uses 4096 bits.
+
In order to tell KeePass to accept a specific version information file
+only when it's verifiable with a specific public key, your plugin must call the
+UpdateCheckEx.SetFileSigKey
+method to associate the specified URL with the specified public key.
+The public key must be an XML string in the format as returned by the
+RSACryptoServiceProvider.ToXmlString method.
+Do not store the private key in your plugin, only the public key.
+
To sign an unsigned version information file, hash all trimmed non-empty lines
+between the header and the footer line
+using SHA-512, UTF-8 encoding, each line terminated by '\n'
+(not "\r\n").
+Sign the hash using the private key
+(if you're using RSACryptoServiceProvider:
+load the private key using its FromXmlString method,
+then compute the signature using the SignData method).
+Encode the hash using Base64 and append it to the first line of the
+version information file.
+
+
+
+
+
+
+Can KeePass 2.x Plugins be Written in Unmanaged C++?
+
+
Yes and no. You can write the logic of your plugin in unmanaged C++ (native
+Win32 APIs can be used). However, you must provide a managed interface to your plugin,
+i.e. you must export a managed class derived from the Plugin base class
+as described in the tutorial.
+Also, managed C++ is required to modify the KeePass internals (entries,
+groups, main window, ...).
+
+
For an example how to use unmanaged APIs in a managed C++ plugin assembly,
+see the
+SamplePluginCpp
+example plugin.
+
+
It is highly recommended to develop plugins in C#, not in C++, due to
+compatibility reasons (in the case of native plugins, separate 32- and
+64-bit builds are necessary; native plugins do not run on Unix-like
+systems; etc.).
+
+
+
+
+
+PLGX Files
+
+
PLGX is an optional plugin file format for KeePass ≥ 2.09.
+Instead of compiling your plugin to a DLL file, the plugin source code
+files can be packed into a PLGX file and KeePass will compile the plugin
+itself when loading it.
+
+
One advantage of the PLGX approach is a strong compatibility detection.
+In the case of a DLL plugin, an incompatibility (caused by an API
+change within KeePass) is detected by the runtime when the plugin tries
+to call/access the method/class, not at loading time.
+So, an incompatibility is detected late and might crash KeePass.
+In contrast, when using the PLGX format, an incompatibility is
+detected immediately at loading time: if there is a problem, the
+compile process fails and KeePass can show an informative
+plugin incompatibility message to the user.
+For DLL plugins, KeePass performs an own compatibility check,
+which does not detect all incompatibilities though;
+PLGX is far superior here.
+
+
Another advantage of the PLGX approach is compatibility with
+custom KeePass builds.
+A DLL plugin references an official KeePass build, and unless there
+is a change within KeePass that breaks the plugin, the plugin is
+also compatible with all future KeePass builds that are compiled
+with the same assembly signing key (strong name).
+This applies to all operating systems.
+Especially, a DLL plugin that does not use any Windows-specific
+function works fine on Linux with a KeePass build from the
+official portable ZIP package.
+However, some Linux packages compile KeePass from the source code;
+such builds are not signed at all or are signed with a different
+assembly signing key and are thus incompatible with DLL plugins.
+In contrast, PLGX plugins are compatible with custom KeePass builds,
+because KeePass can adjust the KeePass reference of the plugin
+before compiling it.
+
+
For users, the procedure to install a DLL plugin is exactly the
+same as for a PLGX plugin; both need to be copied into the 'Plugins'
+folder.
+
+
Comparison.
+
+
DLL
PLGX
+
Compatibility check
+
Weak only.
+
Strong.
+
+
Compatibility with custom builds (Linux)
+
+Partial, see above.
+
+
+
Authenticode signing support
+
+
+
+
No compilation on the user's system
+
+
+
+
No plugin cache
+
+
+
+
+
So, both formats have unique advantages and disadvantages;
+there is no "best" format.
+
+
Dual package.
+You can ship a plugin both as a DLL and as a PLGX in one package
+(e.g. 'SecretImporter.dll' and 'SecretImporter.plgx' within one folder).
+KeePass will load the most appropriate file
+(if KeePass has been signed with the official assembly signing key,
+it will load the DLL, otherwise the PLGX).
+If KeePass loads the DLL, the PLGX is ignored, which especially means
+that only a weak compatibility check is performed (i.e. the strong
+compatibility detection ensured by the PLGX is lost).
+So, a dual package inherits the DLL disadvantages and is not
+the "best" solution either.
+
+
Recommendation.
+In any case, create a PLGX file (in order to ensure
+compatibility with all KeePass builds).
+If you think that the advantages of a DLL outweigh the risk
+of an undetected compatibility problem, additionally provide
+the plugin in DLL form.
+
+
Creating PLGX files.
+PLGX files can be created from plugin sources by calling KeePass.exe
+with the --plgx-create command line option. If you additionally
+pass a path to the plugin sources directory (without terminating separator),
+KeePass will use this one; otherwise
+it'll show a folder browser dialog to allow you selecting the directory. If
+you want to pass the directory location using the command line, make sure that
+you're specifying a full, absolute path; relative paths will not work.
+
+
In order to keep the size of the PLGX file small, it is recommended
+that you clean up the plugin sources directory before compiling the PLGX.
+Remove all unnecessary binary files (files in the bin
+and obj directory); especially, delete any plugin assembly DLL
+that you compiled yourself. Temporary files by the IDE
+(like .suo and .user files)
+can also be deleted.
+
+
PLGX features.
+
+
Extensible, object-oriented file format.
+
Compression support (data files are compressed using GZip).
+
.csproj support. KeePass retrieves all information required
+for compiling the plugin assembly from the .csproj file in the
+plugin sources.
+
Embedded resources support.
+
Referenced .NET assemblies support. References information is read from
+the .csproj file.
+
Referenced custom assemblies support. Third-party assemblies required by the plugin
+(references to DLLs) are supported, provided that the third-party assembly is
+located in the plugin source code directory (or any subdirectory of it).
+
ResX support. .resx files are automatically compiled to
+binary .resources files.
+
+
PLGX cache. PLGX files are compiled once and the generated assembly is stored in a cache.
+For all following KeePass starts, no compiling is required.
+
PLGX cache maintenance. The size of the PLGX cache can be seen in the KeePass plugins dialog.
+Here, the cache can also be marked to be cleared (it will be cleared when KeePass
+is started the next time). An option to automatically delete old files from the
+cache is supported and enabled by default.
+
+
+
PLGX limitations.
+
+
Only C# is supported (not Visual Basic or any other .NET language).
+
The compiler that is included in the .NET Framework supports at most
+C# 5. In order to avoid using features of a newer C# version, it is therefore
+recommended to set the C# version of your plugin project to 5:
+
+
In Visual Studio 2017 and earlier, open the project properties →
+tab 'Build' → button 'Advanced' → set the option 'Language version'
+to 'C# 5'.
+
In Visual Studio 2019 and later, the project XML file must be edited:
+the element 'LangVersion' must contain '5'.
+For details, see
+C# Language Versioning.
+
+
Linked resources (in different assemblies) are unsupported.
+
Dependencies on other projects are unsupported (reorganize your project to
+use custom assembly references instead).
+
+
+
Defining prerequisites. You can optionally specify a minimum
+KeePass version, a minimum installed .NET Framework, an operating system and
+the minimum size of a pointer (x86 vs. x64) using the
+--plgx-prereq-kp:, --plgx-prereq-net:,
+--plgx-prereq-os: and --plgx-prereq-ptr:
+command line options. If one of the plugin prerequisites isn't met, KeePass shows a detailed
+error message to the end-user (instead of a generic plugin incompatibility
+message). Build example:
+KeePass.exe --plgx-create C:\YourPluginDir --plgx-prereq-kp:2.09
+--plgx-prereq-net:3.5
+
+
Valid operating system values are Windows and Unix.
+When running on an unknown operating system, KeePass defaults to Windows.
+Pointer sizes (checking for x86 vs. x64) are specified in bytes; for example,
+to only allow running on x64, you specify --plgx-prereq-ptr:8.
+
+
Build commands.Optionally you can specify pre-build
+and post-build commands using --plgx-build-pre: and
+--plgx-build-post:. These commands are embedded in the PLGX file
+and executed when compiling the plugin on the end-user's system.
+
+
In the build commands, the placeholder {PLGX_TEMP_DIR}
+specifies the temporary directory (including a terminating separator),
+to which the files were extracted. In the post-build command, {PLGX_CACHE_DIR}
+is replaced by the cache directory of the plugin (including a terminating
+separator), into which the generated assembly was stored.
+
+
These build commands can for example be used to copy additional files into
+the cache directory. Example:
+KeePass.exe --plgx-create C:\YourPluginDir
+--plgx-build-post:"cmd /c COPY """{PLGX_TEMP_DIR}MyFile.txt"""
+"""{PLGX_CACHE_DIR}MyFile.txt""""
+
+
In order to specify a quote character on the command line, it has
+to be encoded using three quotes (this is Windows standard, see
+
+MSDN: SHELLEXECUTEINFOW). So, the command
+line above will actually embed the post-build command
+cmd /c COPY "{PLGX_TEMP_DIR}MyFile.txt"
+"{PLGX_CACHE_DIR}MyFile.txt"
+into the PLGX, which is correct.
+It is highly recommended to surround paths including PLGX placeholders
+using quotes, otherwise the command will not run correctly if the
+path contains a space character (which happens very often).
+
+
If you need to run multiple commands, write them into a batch file and
+execute it (with cmd). If you need to perform more complex
+build tasks, write an own building executable and run it using the build
+commands (typically it is useful to pass the directory locations as arguments
+to your building executable), for example:
+KeePass.exe --plgx-create C:\YourPluginDir
+--plgx-build-post:"{PLGX_TEMP_DIR}MyBuild.exe {PLGX_TEMP_DIR} {PLGX_CACHE_DIR}"
+
+
PLGX debugging.
+When the command line option --debug is
+passed and a PLGX plugin fails to compile, the output of all
+tried compilers is saved to a temporary file.
How to automate database operations in KeePass 2.x.
+
+
+
Prerequisites:
+
+
In order to automate KeePass, you need the KPScript plugin/extension.
+You can find the latest version of KPScript on the KeePass plugins
+web page.
+The KPScript.exe file needs to be copied into the directory
+where KeePass is installed (where the KeePass.exe file is).
+
+
+
+
There are two ways to automate KeePass: single command operations
+and KPS script files.
+
+
+
Single Command Operations:
+KPScript can be invoked using single commands. By passing the database location,
+its key, a command and eventually some parameters, simple operations like adding
+an entry can be performed. The syntax is very simple, no scripting knowledge is
+required. This method is ideal when you quickly want to do some small changes to
+the database. It is not recommended when you need to perform many operations, because
+for each command the database needs to be loaded from file, decrypted, modified,
+encrypted and written back to file.
+
+
+
KPS Script Files: These files are a lot more
+powerful than single command operations, but are also more complicated. You need
+to have heavy experience in C# programming and the KeePass 2.x internals.
+Within KPS files you can do everything that KeePass does.
How to use KPS script files to automate KeePass 2.x.
+
+
+
KPS script files are a lot more powerful than single command operations,
+but are also more complicated. You need
+to have heavy experience in C# programming and the KeePass 2.x internals.
+Within KPS files you can do everything that KeePass does.
+
+
What are KPS files?
+
+
KPS files are C# files that are loaded,
+compiled and executed by the KPScript.exe program.
+Within the script file, you got full access to the KeePass internals.
+
+
The main differences to "normal" C# files are:
+
+
+
No need for using directives.
+
No need to add a reference to the KeePass assembly.
+
No need to write a wrapper class. Simply start with Main(). The
+complete script file is embedded in a static class.
+
+
+
Here's the famous Hello World program as KPS script:
+
+
public static void Main()
+{
+ MessageService.ShowInfo("Hello World!");
+}
+
+
For the most important namespaces, KPScript automatically adds
+using directives at the start of the file before compiling it.
+MessageService for example is located in KeePassLib.Utility,
+but as it's included automatically by KPScript, you can use it directly.
+
+
+
+
Executing a KPS file:
+
+
To run a KPS file, you simply pass it to KPScript:
+
+
KPScript.exe C:\KeePass\MyScriptFile.kps
+
+
It is important that the file extension is .kps, otherwise KPScript won't
+recognize the file and will interpret it as database for single command operations.
How to use KPScript with single command operations to perform simple
+database operations.
+
+
+
KPScript can be invoked using single commands. By passing the database location,
+its key, a command and eventually some parameters, simple operations like adding
+an entry can be performed. The syntax is very simple, no scripting knowledge is
+required. This method is ideal when you quickly want to do some small changes to
+the database. It is not recommended when you need to perform many operations, because
+for each command the database needs to be loaded from file, decrypted, modified,
+encrypted and written back to file.
+
+
Commands are specified by passing -c:COMMAND to KPScript, where COMMAND
+is the command to execute (see below for a list of available commands).
+
+
The database location is passed to KPScript by just passing it as a parameter,
+without any option prefix.
+
+
+
+
+
+Master Key
+
+
The master key for the database can be passed to KPScript
+using one of the following ways:
+
+
+
Command line parameters.
+Using the -pw:, -pw-enc:,
+-keyfile: and -useraccount parameters.
+For example, to pass "Secret" as password, you'd give
+KPScript the following parameter: -pw:Secret. If the password contains
+spaces or other special characters, it must be enclosed in quotes: -pw:"My Top
+Secret Password".
+For -pw-enc:, see the
+{PASSWORD_ENC} placeholder.
+The -keyfile: parameter can
+specify the key file location. If -useraccount is passed to KPScript, the
+user account credentials of the currently logged on user are used, otherwise not.
+
+
Reading from StdIn.
+If you pass -keyprompt to KPScript, it will read the
+password, the key file path and the user account flag from the StdIn stream.
+This option is intended for programmatically passing the key to KPScript.
+For entering the password by hand, it is recommended to use the
+normal master key dialog instead (because in this dialog the password
+is hidden by bullets/asterisks and it is encrypted by the process memory
+protection), see -guikeyprompt.
+
+
Entering interactively using graphical user interface.
+If you pass -guikeyprompt to KPScript, it will prompt you for the
+key using the normal master key dialog of KeePass.
+
+
+
+
+
+
+Available Commands
+
+
Please note that commands are added incrementally based on user requests. If you are
+missing a command, please let the KeePass team know and it will be added to the
+next release of KPScript.
This command lists all groups in a format that easily machine-readable. The output
+is not intended to be printed/used directly. Usage example:
+
+
KPScript -c:ListGroups "C:\KeePass\MyDb.kdbx" -pw:MyPassword
+This will list all groups contained in the MyDb.kdbx database file.
+
+
+
+
+
Command: ListEntries
+
+
This command lists all entries in a format that easily machine-readable. The output
+is not intended to be printed/used directly. The entry identification
+syntax is exactly the same as in the EditEntry command.
+Usage example:
+
+
KPScript -c:ListEntries "C:\KeePass\MyDb.kdbx" -pw:MyPassword
+-keyfile:"C:\KeePass\MyDb.key"
+Opens the MyDb.kdbx database using 'MyPassword' as password and the MyDb.key file as key file.
+It will output a list of all entries contained in the MyDb.kdbx database file.
+
+
+
+
+
Command: GetEntryString
+
+
Retrieves the value of an entry string field. The entry identification syntax
+is exactly the same as in the EditEntry command.
+Additional command line parameters:
+
+
-Field:NAME
+The field name can be specified using the '-Field' parameter. Supported
+field names are e.g. Title, UserName, Password, URL, Notes, etc.
+
+
-FailIfNotExists
+If you pass the option '-FailIfNotExists' and the specified
+field does not exist, the operation is aborted and an error is returned.
+
+
-FailIfNoEntry
+If you pass the option '-FailIfNoEntry' and no entry is found,
+KPScript terminates with an error.
+
+
-Spr
+Spr-compiles the value of the field, i.e.
+placeholders are replaced,
+field references are resolved, etc.
+
+
+
Usage example:
+
+
KPScript -c:GetEntryString "C:\KeePass\MyDb.kdbx" -pw:MyPassword
+-Field:UserName -ref-Title:"Demo Account"
+Opens the MyDb.kdbx database using 'MyPassword' as password.
+It outputs the user names of all entries that have the title
+"Demo Account".
+
+
+
+
+
Command: AddEntry
+
+
This command adds an entry to the database. To specify the entry details, use the
+standard string field identifiers as parameter names and their values for the contents.
+Supported standard string fields are: Title, UserName, Password, URL, and Notes.
+Usage examples:
-GroupName:NAME
+The -GroupName: parameter can be used to specify the group in which the
+entry is created. For searching, KPScript performs a pre-order traversal and uses the
+first matching group (the name is case-sensitive). If no group with the specified name is
+found, it will be created in the root group.
+
+
-GroupPath:PATH
+The full path of the group can be specified using the
+-GroupPath: parameter (use '/' as separator).
+If you do not specify a group name or path,
+the entry will be created in the root group.
+
+
-setx-Icon:ID
+Set the icon of the entry to the standard icon having index ID.
+
-setx-CustomIcon:ID
+Set the icon of the entry to the custom icon having index ID.
+
-setx-Expires:VALUE
+Sets whether the entry expires or not. VALUE must be either
+true or false.
+
-setx-ExpiryTime:VALUE
+Sets the expiry date/time of the entry.
Use one or more of the following parameters to identify the entries
+to be edited; all of the specified conditions must match:
+
+
-ref-FIELDNAME:FIELDVALUE
+The string field FIELDNAME must have the value FIELDVALUE.
+If the value is enclosed in '//', it is treated as a
+
+regular expression,
+which must occur in the entry field for the entry to match.
+For example, -ref-Title:"//Test\d\d//" matches every entry
+whose title contains 'Test' followed by at least two digits.
+
-refx-UUID:VALUE
+The UUID of the entry must be VALUE.
+
-refx-Tags:VALUE
+The entry must have the specified tags. Multiple tags can be separated using
+commas ','.
+
-refx-Expires:VALUE
+VALUE must be true or false.
+This parameter allows to specify whether the entry expires sometime (i.e. whether
+the 'Expires' checkbox is checked, independent of the expiry time).
+
-refx-Expired:VALUE
+VALUE must be true or false.
+This parameter allows to specify whether the entry has expired (i.e. whether
+the 'Expires' checkbox is checked and the expiry time is not in the future).
+
-refx-Group:VALUE
+The name of the parent group of the entry must be VALUE.
+
-refx-GroupPath:VALUE
+The full path of the parent group of the entry must be VALUE.
+Use '/' as group separator in the path.
+
-refx-All
+Matches all entries.
+
+
+
Use one or more of the following parameters to specify how the
+entry should be edited:
+
+
-set-FIELDNAME:FIELDVALUE
+Sets the string field FIELDNAME of the entry to the value
+FIELDVALUE.
+
-setx-Icon:ID
+Set the icon of the entry to the standard icon having index ID.
+
-setx-CustomIcon:ID
+Set the icon of the entry to the custom icon having index ID.
+
-setx-Expires:VALUE
+Sets whether the entry expires or not. VALUE must be either
+true or false.
+
-setx-ExpiryTime:VALUE
+Sets the expiry date/time of the entry.
+
+
+
Usage examples:
+
+
KPScript -c:EditEntry "C:\KeePass\MyDb.kdbx" -pw:MyPw -ref-Title:"Existing
+entry title" -set-UserName:"New user name"
If you additionally pass -CreateBackup, KPScript will
+first create backups of entries before modifying them.
+
+
+
+
+
Command: MoveEntry
+
+
This command moves one or more existing entries. The entry identification
+syntax is exactly the same as in the EditEntry command.
+
+
+
-GroupPath:PATH
+The target group can be specified using the -GroupPath:
+parameter. '/' must be used as separator
+(e.g. -GroupPath:Internet/eMail moves the specified entries
+to the subgroup 'eMail' of the subgroup 'Internet').
+
+
-GroupName:NAME
+The -GroupName: parameter can be used
+(see the AddEntry command for details).
+
+
+
+
+
+
Command: DeleteEntry
+
+
This command deletes one or more existing entries. The entry identification
+syntax is exactly the same as in the EditEntry command.
+
+
+
+
+
Command: DeleteAllEntries
+
+
This command deletes all entries (in all subgroups).
+
+
+
+
+
Command: Import
+
+
This command imports a file into the database.
+
+
+
-Format:NAME
+The format is specified by
+setting the "-Format" parameter (see names in the
+import dialog of KeePass).
+
+
-File:PATH
+The file to import to is specified using the
+"-File" parameter.
+
+
-MM:VALUE
+If the format supports UUIDs, the behavior for groups/entries that exist
+in both the current database and the import file can be specified using the
+optional "-MM" parameter. Possible values are
+"CreateNewUuids",
+"KeepExisting",
+"OverwriteExisting",
+"OverwriteIfNewer", and
+"Sync".
+By default, new UUIDs are created.
+
+
-imp_*:VALUE
+For encrypted import files, by default the master key of the target database
+is used. However, it is also possible to specify a different master key,
+using the usual
+master key command line parameters
+with the prefix '-imp_'
+(i.e. -imp_pw:, -imp_pw-enc:, -imp_keyfile:,
+-imp_useraccount, -imp_keyprompt,
+-imp_guikeyprompt).
+
+
+
Usage example:
+
+
KPScript -c:Import "C:\KeePass\MyDb.kdbx" -pw:MyPw -Format:"KeePass XML (2.x)" -File:SourceFile.xml
+
+
+
+
+
Command: Export
+
+
This command exports (parts of) the database.
+
+
+
-Format:NAME
+The format is specified by
+setting the "-Format" parameter (see names in the
+export dialog of KeePass).
+
+
-OutFile:PATH
+The file to export to is specified using the
+"-OutFile" parameter.
+
+
-GroupPath:PATH
+If a specific group should be exported (instead of the whole database),
+specify the group using the "-GroupPath" parameter (use '/' as separator).
+
+
-XslFile:PATH
+For the XSL transformation export module, the path of the XSL file
+can be passed using the "-XslFile" parameter.
+
+
+
Usage example:
+
+
KPScript -c:Export "C:\KeePass\MyDb.kdbx" -pw:MyPw -Format:"KeePass XML (2.x)" -OutFile:TargetFile.xml
+
+
+
+
+
Command: Sync
+
+
This command synchronizes the database with another one.
+The other database path has to be specified using the
+"-File" command line parameter. Usage example:
This command changes the master key of the database.
+The new key values are specified using the standard
+options prefixed with 'new', i.e. -newpw:, -newkeyfile:
+and -newuseraccount (all are optional). Usage example:
-count:NUMBER
+The number of passwords can be specified using the
+optional -count: parameter.
+
+
-profile:NAME
+A password generator profile can be specified using the optional
+-profile: parameter
+(the names of all available profiles can be found in the password generator
+dialog).
+
+
+
Usage examples:
+
+
KPScript -c:GenPw
+Generates one password using the default generator profile.
+
+
KPScript -c:GenPw -count:5 -profile:"Hex Key - 128-Bit (built-in)"
+Generates five 128-bit hex passwords (when no translation is used).
+
+
+
+
+
Command: EstimateQuality
+
+
Estimates the quality (in bits) of the password specified via the
+-text: parameter.
+Usage example:
+Basic Auto-Type Information
+Requirements and Limitations
+Target Window Filters
+Usage Example
+Executing Command Lines
+Installation by Administrator, Usage by User
+Portable Version
+For Network Administrators: Enforced Configuration
+Technical Details
+Donation Acknowledgements
+Icon Acknowledgements
+Translation Acknowledgements
+Plugin Acknowledgements
+
+
+
+Do not use the option 'Text size' (in the
+Windows Settings → 'Accessibility' → 'Vision'),
+because this option does not scale all texts properly.
+
+Placeholder Syntax
+FileSample_CSV.zip.
+This file is zipped only in order to ensure correct encoding (if not zipped, browsers or
+download managers could automatically convert the file to a different encoding). When importing
+a CSV file, it must not be zipped!
+Generic CSV Importer
+
+
+
+
+
+
+
+Limit to Single Instance Option
+Key File
+
+
+Entry Field Placeholders
+Environment Variables
+The 
+
+If you enable a security-reducing option, an exclamation mark (!)
+'Save as Profile' button.
+File Header/Signature
+Search Mode 'Simple Expression'
+Random Number Generation
+Enter Master Key on Secure Desktop (Protection against Keyloggers)
+Viewing/Editing Attachments
+Self-Tests
+Malicious Data
+Security Issues
+Using the TAN Wizard to add TANs
+English:
+German (Deutsch):
+
]
+in the toolbar of the main window (to the right of
+the 'Find' toolbar button) and choose the tag.
+Alternatively, this command is also accessible via the main menu:
+'Find' → 'Tag' → choose the tag.
+History
+Trigger System Introduction
Weak only.
Strong.