sirAndros / KeePassWinHello

Quick unlock KeePass 2 database using biometrics with Windows Hello
MIT License
321 stars 24 forks source link
biometrics keepass password-manager plugin security unlock windows-hello winhello

Quick unlock with Windows Hello for KeePass 2

Build Status Quality Gate Status GitHub All Releases Chocolatey

This plugin for KeePass 2 password manager is intended for fast authorization with pin or biometrics to a database after its first unlock using Windows Hello technology.

Usage

With this plugin you may:

  1. Unlock your database with your masterkey/keyfile/other provider;

  2. Lock the database (for example, applying autolock on minimize);
  3. When you try to unlock it again, if Windows Hello is available on your system and active for the database, a Windows Hello prompt will be shown over a classic KeePass unlock prompt;

  4. Profit!

Systems Requirements

This plugin relies on Windows Hello API and its requirements.

There are some known issues with Windows Hello reported by community. Please, check here before write issue.

Tested on Microsoft Surface Pro 2017 with KeePass 2.39.1 and 2.42.1.

How to Install

Place KeePassWinHelloPlugin.plgx into Plugins folder in your KeePass installation (by default is C:\Program Files (x86)\KeePass Password Safe 2).

Or you can use Chocolatey to install it in a more automated manner:

choco install keepass-plugin-winhello

Key storage

By default this plugin holds an encrypted master password in memory and removes it upon KeePass closing. In order to be able to unlock your database via Windows Hello authentication in between KeePass launches you may check "Store keys in the Windows Credential Manager" on in the Options dialog. This will prompts you for creating a persistent key signed with your biometry via Windows Hello. The key is used to encrypt master passwords for securely storing them in the Windows Credential Manager.

Options

The plugin integrates itself into the KeePass settings dialog.

Available settings:

All changes will be applied only after OK button press. You can cancel the modifications using Cancel button instead.

Security Notice

As you should never approve any process elevation (run as admin) if you don't trust an application (because otherwise they can do almost anything), you should never sign Windows Hello prompt if you did not request it, especially when using the persistent storage. In those cases your both passwords and PC are at risk.

Our plugin prompts you to authorize Windows Hello only in the following cases:

So it works like a rule of thumb: just like you cancel an unintended UAC dialog, you should cancel an unintended Windows Hello prompt.

Notes

No sensitive information including master passwords for databases are stored by the plugin in a plain text. A database key is encrypted and decrypted using Windows Hello API in order to unlock the database.

Development

Create junction/copy folder with KeePass.exe to root of the repository as folder named "lib". Debug "KeePassWinHello.Debug" project with "Linked KeePass" launch profile. If you add some file - don't forget to add it to KeePassWinHello.csproj, otherwise it won't be included in plgx on publish.

Credits