KeePass Authenticator is a plugin (Key Provider) for KeePass that allows you to unlock your KeePass database using your smartphone (technically speaking all devices running on Android Marshmallow or newer). Every time you want to unlock your KeePass a push notification is sent to your Android device where you can confirm if you want to unlock KeePass or not.

A KeePass Authenticator Android app generates a pair of keys (public key and private key). During initialization process the Android app generates pseudorandom byte array, encrypt it using public key and send it to the plugin. Each time you want to unlock KeePass the encrypted value is sent from plugin to your Android device where data is decrypted and signed using private key. Then the signature, which is the final key to the KeePass, is sent back to the plugin.

The final key to KeePass is never stored on your PC.

To enable communication between the plugin and Android app I chose a Firebase Cloud Messaging (by Google) to trigger decrypting and signing process and I wrote an app in Java EE to enable send the key back from Android app to the plugin. The requests are stored on Tomcat server for 1 minute then request is removed however, the request is never stored on any database nor file system.

1. Download keepassauth.zip file and extract it to the directory where KeePass is installed

2. Open KeePass and create a new database (you can also unlock your KeePass database as you normally do it and then click File -> Change Master Key...)

3. Check "Key File" option and choose KeePass Authenticator. Uncheck "Master Password" option (you can leave it checked and type password but each time you will try to unlock your KeePass you will have to type your password besides confirm unlocking KeePass on your smartphone)

4. Click OK. QR Code should show up. Open KeePass Authenticator app on your Android device and click more (3 dots in the upper right corner of the screen), click Pair with PC and scan QR Code using your smartphone.

5. Once the code is scanned and device is paired with PC the pop-up window will appear. Click OK

6. Now a new notification on your Android device should appear. Click on it.

7. Finalize creating KeePass database and save it.

From now on each time you will open KeePass and click OK a new notification should appear on your Android device. Once you click on it a KeePass should unlock.

• Android application - Java

• KeePass plugin - C#

• Server - Java EE

• Push notifications - Firebase (by Google)

I have got error message on KeePass open and cannot use KeePass Authenticator plugin

Please copy below code and paste it in the KeePass.exe.config file (this file should be located in the very same directory as KeePass.exe file) in the <assemblyBinding> section:

<dependentAssembly>

<assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />

<bindingRedirect oldVersion="0.0.0.0-4.2.0.0" newVersion="4.0.0.0" />

</dependentAssembly>

• ZXing library to create and read QR Code

• Newtonsoft Json.NET library to serialize/deserialize C# objects to/from JSON

Is this secure?

Yes, because KeePass key is not stored on your PC, only encrypted key is stored on your PC and anyone can do nothing without private key, which is on your Android device and is non-exportable.

What should I do not to lose all my passwords stored in KeePass if I lost my Android device / uninstall an app / generate new keys in the app?

After pairing you should export your master key and store it safely. Once you do that even if you lost your phone, uninstall app or accidently generate new keys in the app you still will be able to unlock your KeePass database.

To export master key open KeePass, click on Tools -> KeePass Authenticator. Then click on File -> Export master key and click "Export". Now confirm request on your Android device and choose the location where master key should be saved. Please keep in mind that you should store this file safely because anyone that will have access to this file and to your database file is able to unlock your KeePass thereby is able to view your passwords stored in KeePass.

I did not receive any notification on my Android device, is there any option to resend notification?

Yes, while you are waiting to notification just go to File -> Send request again on your PC. If you still received no notification please check your network connection. Of course, you can still unlock KeePass using exported version of your master key (if you already exported it).

Is there any option to pair KeePass Authenticator with more than one device?

Sure, you can pair KeePass Authenticator with unlimited number of devices.

I am currently using KeePass using Password/Key. Can I switch my KeePass to use KeePass Authenticator without losing any stored passwords?

Yes, just open and unlock your KeePass, then go to File -> Change Master Key... and check "Key File" and choose KeePass Authenticator. You can leave "Master Password" option checked and type password but each time you will try to unlock your KeePass you will have to type your password besides confirm unlocking KeePass on your smartphone. If you just want to unlock KeePass using Android device uncheck this option.

Does the Android application have to be run to work?

No, there is no need to run the application or run it in background except for pairing process when you have to open an app and click "Pair with PC".

This software is free to use for personal use only.

You are not allowed to sell, redistribute, modify or decompile this software.

Mariusz Walczak