Generate Key From User Pass

Posted on by

This document describes how KeePass locks databases.

KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, ..) are required. Together, these key sources form the Composite Master Key.

Get microsoft office key activate generator. Scroll to Secure mail key and select Manage secure mail key. If you have more than one email address, select the one you want to use. Select Add secure mail key. Enter a nickname for the secure mail key to make it easier to recognize. Select Create secure mail key. Select Copy secure mail key to clipboard. (Jot down your secure mail key, so you have it handy if you have to update an email app on several devices.). Or Do I have to generate the key using some program and save it permanently somewhere? I want to store data in database after encryption, the secure profile data like username, password, phone number etc, and the key will be available to database user mentioned in connection string only, and to the administrator.

KeePass does not support keys being used alternatively, i.e. it's not possible that you can open your database using a password or a key file. Either use a password, a key file, or both at once (both required), but not interchangeably.


Master Passwords

If you use a master password, you only have to remember one password or passphrase (which should be good!) to open your database. KeePass features protection against brute-force and dictionary attacks on the master password, read the security information page for more about this.

If you forget this master password, all your other passwords in the database are lost, too. There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.


Key Files

You don't even have to remember a long, complicated master passphrase. The database can also be locked using a key file. A key file is basically a master password in a file. Key files are typically stronger than master passwords, because the key can be a lot more complicated; however it's also harder to keep them secret.

  • A key file can be used instead of a password, or in addition to a password (and the Windows user account in KeePass 2.x).
  • A key file can be any file you choose; although you should choose one with lots of random data.
  • A key file must not be modified, this will stop you opening the database. If you want to use a different key file, you can change the master key and use a new/different key file.
  • Key files must be backed up or you won't be able to open the database after a hard disk crash/re-build. It's just the same as forgetting the master password. There is no backdoor.
    Do not backup the key file to the same location as the database, use a different directory or disk. Test opening your database on another machine to confirm your backup works. For a detailed discussion on the difference between backing up the key file and the database, see the ABP FAQ.

Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. Sql server 2008 product key generator. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret – selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.

File Type and Existing Files. KeePass can generate key files for you, however you can also use any other, already existing file (like JPG image, DOC document, etc.).

In order to use an existing file as key file, click the button with the 'Save' image in the master key creation dialog and select the existing file. After accepting the dialog, KeePass will ask you whether to overwrite or reuse the file (see screenshot).

In order to use an existing file as key file, click the 'Browse' button in the master key creation dialog.

Windows User Account


KeePass 1.x does not support encrypting databases using Windows user account credentials. Only 2.x and higher support this.

KeePass can make the database dependent on the current Windows user account. If you enable this option, you can only open the database when you are logged in as the same Windows user when creating the database.
Be very careful with using this option. If your Windows user account gets deleted, you won't be able to open your KeePass database anymore. Also, when using this option at home and your computer breaks (hard disk damaged), it is not enough to just create a new Windows account on the new installation with the same name and password; you need to copy the complete account (i.e. SID, ..). This is not a simple task, so if you don't know how to do this, it is highly recommended that you don't enable this option. Detailed instructions how to recover a Windows user account can be found here: Recover Windows User Account Credentials (a short technical tutorial can be found in a Microsoft TechNet article: How to recover a Vault corrupted by lost DPAPI keys).
You can change the password of the Windows user account freely; this does not affect the KeePass database. Note that changing the password (e.g. a user using the Control Panel or pressing Ctrl+Alt+Del and selecting 'Change Password') and resetting it to a new one (e.g. an administrator using a NET USER <User><NewPassword> command) are two different things. After changing your password, you can still open your KeePass database. When resetting the password to a new one, access usually is not possible anymore (because the user's DPAPI keys are lost), but there are exceptions (for example when the user is in a domain, Windows can retrieve the user's DPAPI keys from a domain controller, or a home user can use a previously created Password Reset Disk). Details can be found in the MSDN article Windows Data Protection and in the support article How to troubleshoot the Data Protection API (DPAPI).
If you decide to use this option, it is highly recommended not to rely on it exclusively, but to additionally use one of the other two options (password or key file).
Protection using user accounts is unsupported on Windows 98 / ME.

For Administrators: Specifying Minimum Properties of Master Keys

Administrators can specify a minimum length and/or the minimum estimated quality that master passwords must have in order to be accepted. You can tell KeePass to check these two minimum requirements by adding/editing appropriate definitions in the INI/XML configuration file.

Generate Key From User Pass Download

The value of the KeeMasterPasswordMinLength key can contain the minimum master password length in characters. For example, by specifying KeeMasterPasswordMinLength=10, KeePass will only accept master passwords that have at least 10 characters.
The value of the KeeMasterPasswordMinQuality key can contain the minimum estimated quality in bits that master passwords must have. For example, by specifying KeeMasterPasswordMinQuality=64, only master passwords with an estimated quality of at least 64 bits will be accepted.

The value of the Security/MasterPassword/MinimumLength node specifies the minimum master password length (in characters). For example, by setting it to 10, KeePass will only accept master passwords that consist of at least 10 characters.
Generate private key from password The value of the GenerateSecurity/MasterPassword/MinimumQuality node specifies the minimum estimated quality (in bits) that master passwords must have. For example, by setting it to 80, only master passwords with an estimated quality of at least 80 bits will be accepted.
The Security/MasterKeyExpiryRec node can be set to an XSD date or an XSD duration (see XSD Date and Time Data Types). If the master key has not been changed since the specified date or if the time span between now and the last master key change exceeds the specified duration, KeePass recommends to change it. This setting applies to all databases that are opened with this KeePass instance; a master key expiry can also be configured for each database individually (in 'File' → 'Database Settings' → tab 'Advanced').
By specifying KeyCreationFlags and/or KeyPromptFlags (in the UI node), you can force states (enabled, disabled, checked, unchecked) of key source controls in the master key creation and prompt dialogs. These values can be bitwise combinations of one or more of the following flags:
Flag (Hex)Flag (Dec)Description
0x00Don't force any states (default).
0x11Enable password.
0x22Enable key file.
0x44Enable user account.
0x88Enable 'hide password' button.
0x100256Disable password.
0x200512Disable key file.
0x4001024Disable user account.
0x8002048Disable 'hide password' button.
0x1000065536Check password.
0x20000131072Check key file.
0x40000262144Check user account.
0x80000524288Check 'hide password' option/button.
0x100000016777216Uncheck password.
0x200000033554432Uncheck key file.
0x400000067108864Uncheck user account.
0x8000000134217728Uncheck 'hide password' option/button.

Generate Key From User Pass Key


The values of KeyCreationFlags

Generate Key From User Password

and KeyPromptFlags must be specified in decimal notation.
For example, if you want to enforce using the user account option, you could check and disable the control (such that the user can't uncheck it anymore) by specifying 263168 as value (0x40000 + 0x400 = 0x40400 = 263168).