Make Keepass database accept, but not require, two unlocking methods

Solution 1:

You can put your password into a text file on your home PC (make sure your text editor does not add newline characters), then give it to KeePass as the keyfile. (You could encrypt the keyfile with Windows' EFS.)

Now you can use the keyfile at home, and type the password manually elsewhere.

Solution 2:

The easiest method (if you don't change passwords much, which if you use Keepass you probably do) is to duplicate the database using the 2.x version.

There isn't too much of another way. If you actually look at what's going on with the encryption, you'll see that if it encrypts the whole thing with one key, it can't decrypt it with another because that's the very point of encryption.

If you tried to use more than one key, in any way, it would be reduced to verifying the key and then using a stored key unlock the database, which is quite insecure.

Even if the program stored two copies with two different encryption keys in the same file, that both makes it easier to brute-force since getting one key makes it easy to find the other key, and clumsy because every time you edit the passwords you have to have the other key.

Tl;dr: having multiple keys possible but with only one needed is almost mathematically impossible.

One other solution you have is to get a shorter password. Reading this article, concerning AES (which is what Keepass uses), a password as simple as fluffy is puffy would take maybe 39 miillion years to crack even though those words are very simple.

By comparison then, Keepass hashes the password 6,000 times by default (and if you set it to 2 million it would still barely break a sweat) which makes any sort of mathematical trickery useless. You can use the pronouncable and lower+upper+num settings on passwd.me to generate a password that's easy to learn and remember but hard to brute force or guess, like tahter.3usandu. Heck, you might even end up learning Japanese :-).

Solution 3:

Since version 2.10, KeePass supports the command line parameter -pw-enc. For details, see KeePass online help. It accepts the master password of a KeePass database in an encrypted representation.

Use a cmd script as in this blog with the -pw-enc parameter to automatically open/unlock your database without need for typing your password. Add this script as task in the Windows task scheduler. Define a trigger for "At log on".

This way, your KeePass database only needs a master password. You can open it on other computers only by typing the master password. However, on your own computer, you have a secure way of automatically unlocking your database relying on your Windows user account.

Side notes

  • To create the encrypted representation, you must use the placeholder {PASSWORD_ENC} for a KeePass entry with the master password of the database. The encrypted representation is a bit different every time you create it. Nevertheless, it will work.

    You can use it either as auto-type sequence or for a entry URL like cmd://"cmd.exe" /k echo {PASSWORD_ENC}.

  • To avoid the cmd window popping up, you can wrap the cmd script with a VBS script as in this answer on Server Fault.

  • If you configured KeePass to automatically lock your database, you can add the additional triggers for "On workstation unlock" and "On connection to user session" for local and remote computers.

  • Don't check "Run whether user is logged on or not" for the task in the task scheduler. Otherwise, the task cannot bring up the KeePass UI.

  • The encryption relies on the Windows Data Protection API (DPAPI). Decryption will only be possible for the current user on the same machine/domain.