Categories
Operations

Efficiently unlock secondary KeePass databases when working with shared password safes

Keepass can open multiple databases simultaneously on tabs. This is useful e.g. when maintaining one personal database and one or more further databases e.g. shared with different teams or projects. When auto-typing passwords or using browser plugins, all open databases are searched, thus passwords can reside in their original database without having to be duplicated.

When unlocking multiple databases you can avoid typing several passwords for several databases: you can store one entry for each shared database in your first database which you will unlock first. Keepass Triggers can then automatically unlock the shared databases on tabs with their paths and passwords from the first database. All securely encrypted. Field references are used to get the data from the first database into the triggers without hardcoding the triggers.

This can be set up as follows in short:

  1. Create Keepass entries for each secondary database.
  2. Create a Keepass trigger, mentioning each entry for secondary databases.
  3. Create a Keepass trigger to always activate main database on close.

In detail:

Create Keepass entries for each secondary database

  1. In your first database create a group Keepass to keep the new entries separate. No need to mix them in with e.g. Internet. This is optional.
  2. In the group create an entry for each secondary database
    • Title: "Project1-Database" (recognisable name)
    • URL: Full path to KDBX file without quotes. Spaces are allowed. I used absolute paths (to a synced storage folder).
    • Password: Master password for KDBX file
    • Repeat for each secondary database e.g. Project2-Database, Project3-Database, …

Create a Keepass trigger, mentioning each entry for secondary databases

  1. Under Tools -> Triggers...:
    • Enable trigger system is checked
    • Click "Add"
      • On tab "Properties" enter:
        • Name: enter "Open further database files on unlocking master database"
        • Enabled is checked
        • Initially on is checked
      • On tab "Events":
        • Click "Add"
        • Select "Opened database file"
        • File/URL Comparison: select "Ends with"
        • File/URL Filter: enter "filename.kdbx" (file of first database, no absolute path is required)
      • On tab "Actions":
        • Click "Add"
        • Select "Open database file"
        • File/URL: enter {REF:A@T:Project1-Database} (A is for the URL field, T:xxx is the title of the keepass entry xxx in the first database, created above)
        • Password: enter {REF:P@T:KFE-Database} (P is for the password field)
        • Click "Add" again
        • Select "Activate database (select tab)"
        • File/URL: enter "filename.kdbx" (file of first database, no absolute path is required)
      • Repeat adding both actions for each secondary database e.g. Project2-Database, Project3-Database, …

The second action activate database is needed for the field references {REF:...} to work. The field refs seem to search only the the current tab so we must re-focus on the first database.

Create a Keepass trigger to always activate main database on close

This step is needed so that subsequent unlocking will always start from the first database regardless which tab was last open.

  • Under Tools -> Triggers...:
    • Click "Add"
    • On tab "Properties":
      • Name: "Activate main database on close"
      • Enabled is checked
      • Initially on is checked
    • On tab "Events":
      • Click "Add"
      • Select "Closing database file (before saving)"
      • Don’t change the comparison or filter.
    • On tab "Conditions":
      • leave empty
    • On tab "Actions":
      • Click "Add"
      • Select "Activate database (select tab)"
      • File/URL: enter "filename.kdbx" (file of first database, no absolute path is required)

Links

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.