Keepass Composite Key Is Invalid

by



โ†โ†’๐Ÿ”—

  1. How To Use Keepass
  2. Keepass User Manual Complete
  3. Keepass Windows User Account

Create the Composite Key. The process starts by creating a master key from all of the keys provided by the user (generally a password, key-file and/or Windows User Account). This is achieved by appending the bytes of the SHA256 hash for each of the keys into a single composite, which is. The composite key is invalid. Make sure the composite key is correct and try again.โ€ If I attempt to open it a second time and enter the master password the file loads just fine. Not sure what this. PowerShell module for KeePass. Contribute to PSKeePass/PoShKeePass development by creating an account on GitHub. The composite key is invalid! Question #182 opened May 23, 2020. Secondary Database/Key Location for HA enhancement.

KeePass is great. I use it a lot.

I'm a bit paranoid, so my master passphrase tends to be (very) long.

Now that I have a USB SmartCard, It would be convenient (and more secure) if I could use it to unlock my KeePass database, instead of typing my whole master password each time, for all kinds of key-loggers to record...

Existing solutions

KeePass does not support using a certificate out of the box, but it can be done with plugins.

Unfortunately, none of the existing plugins do exactly what I want.

Some need the private key of the certificate to be exportable. (then why bother using a hardware secure element?)

Some use a signature as a secret. (I'm not a crypto expert, but signatures are not designed to do that. This is probably not a good practice...)

And most of all, all the solutions I reviewed are additive, which means that the certificate can only be used as a part of the composite master key used by KeePass to protect the database.

It's not possible to use either a passphrase, or a certificate to unlock the database.

So I created my own plugin...

Introducing: KeePass Certificate Shortcut Provider

This plugin allows you to open your database using either a master password OR an X.509 certificate.

How?

The provider generates a .cspkey file (Certificate Shortcut Provider Key) containing the master password encrypted with the public part of an X.509 certificate.

When the provider is used, it decrypts the master password using the private part of the certificate, and returns it to KeePass.

This way, it's possible to easily open the database using only a certificate.

If requiredโ€”on a KeePass version without plugins, like Androidโ€”the database can always be opened using only the master password.

Is it secure?

How To Use Keepass

It should be.

If you use a certificate with a strong enough key (RSA with at least a 1024 bits key is recommended), the limiting factor should be the strength of your master password.

If you think otherwise, please contact me...

What kind of certificates can I use?

For now, only RSA certificates are supported.

ECDSA is a signature algorithm. Supporting ECDSA certificates would require some kind of hack to be able to encrypt the master password.

What does it look like?

Where can I get it?

  • The source code is here: github.com/mlaily/KeePass-CertificateShortcutProvider
  • The latest compiled release is here: github.com/mlaily/KeePass-CertificateShortcutProvider/releases/latest

Any feedback is appreciated.

Enjoy! ๐Ÿ™‚

4 comments

Keepass User Manual Complete

Keepass Composite Key Is InvalidComposite
The current page url links to a specific comment.
The comment is shown highlighted below in context.

Keepass Windows User Account

JavaScript is required to see the comments. Sorry...