is a plugin for KeePass 2.x and provides a secure means of exposing KeePass credentials to a browser via Native Messaging.
It is based on KeePassHttp.
This plugin is primarily intended for use with the keepassxc-browser browser extension.
- returns all matching entries for a given URL
- updates entries
- secure exchange of entries
- notifies user if entries are delivered
- user can allow or deny access to single entries
- works only if the database is unlocked
- request for unlocking the database if it is locked while connecting
- searches in all opened databases (if user activates this feature)
- Whenever events occur, the user is prompted either by tray notification or requesting interaction (allow/deny/remember).
- KeePass 2.17 or higher
- For Windows: .NET Framework 4.0 or higher
- For Linux: Mono 4.0 or higher
- For Mac: Mono 4.0 or higher (untested)
- Download the latest KeePassNatMsg release
- Arch Linux (AUR): https://aur.archlinux.org/packages/keepass-natmsg/
- Unzip it into the KeePass\Plugins directory
- default directory in Ubuntu14.04: /usr/lib/keepass2/
- default directory in Arch: /usr/share/keepass
- On linux systems you maybe need to install mono-complete:
$ apt-get install mono-complete
(in Debian it should be enough to install the packages libmono-system-runtime-serialization4.0-cil and libmono-posix2.0-cil)
- Tips to run KeePassNatMsg on lastest KeePass 2.31: install packages
sudo apt-get install libmono-system-xml-linq4.0-cil libmono-system-data-datasetextensions4.0-cil libmono-system-runtime-serialization4.0-cil mono-mcs
- Restart KeePass
- Go to Tools -> KeePassNatMsg Options
- Click on "Install/Update Native Messaging Host", wait for message telling you it was installed.
- Install the KeePassXC-Browser extension for your browser, and Connect to the database from within the extension.
KeePass needs Mono. You can find detailed installation instructions on the official page of KeePass.
KeePassNatMsg works out-of-the-box. You don't have to explicitly configure it.
- KeePassNatMsg stores shared public keys in "KeePassNatMsg Settings" in the root group of a password database.
- Password entries saved by KeePassNatMsg are stored in a new group named "KeePassNatMsg Passwords" within the password database.
- Remembered Allow/Deny settings are stored as JSON in custom string fields within the individual password entry in the database.
You can open the options dialog with menu: Tools > KeePassNatMsg Options
The options dialog will appear:
General tab
- show a notification balloon whenever entries are delivered to the inquirer.
- returns only the best matching entries for the given url, otherwise all entries for a domain are send.
- e.g. of two entries with the URLs http://example.org and http://example.org/, only the second one will returned if the requested URL is http://example.org/index.html
- if the active database in KeePass is locked, KeePassNatMsg sends a request to unlock the database. Now KeePass opens and the user has to enter the master password to unlock the database. Otherwise KeePassNatMsg tells the inquirer that the database is closed.
- expired entries are ignored if enabled.
- KeePassNatMsg returns only these entries which match the scheme of the given URL.
- given URL: https://example.org --> scheme: https:// --> only entries whose URL starts with https://
- sort found entries by username or title.
- removes all shared encryption-keys which are stored in the currently selected database. Every inquirer has to re-authenticate.
- removes all stored permissions in the entries of the currently selected database.
- Shows the status of the Native Messaging Host installations for the supported browsers, and the current Proxy version.
- Installs or Updates the Native Messaging Host, and updates the Proxy if an update is available.
Advanced tab
- KeePassNatMsg no longer asks for permissions to retrieve entries, it always allows access.
- KeePassNatMsg no longer asks for permission to update an entry, it always allows updating them.
- Searching for entries is no longer restricted to the current active database in KeePass but is extended to all opened databases!
- Important: Even if another database is not connected with the inquirer, KeePassNatMsg will search and retrieve entries of all opened databases if the active one is connected to KeePassNatMsg!
- if activated KeePassNatMsg also search for string fields which are defined in the found entries and start with "KPH: " (note the space after colon). The string fields will be transferred to the client in alphabetical order. You can set string fields in the tab Advanced of an entry.
This is already implemented directly in KeePass.
-
Open the context menu of an entry by clicking right on it and select Duplicate entry:
-
Check the option to use references for username and password:
-
You can change the title, URL and everything of the copied entry, but not the username and password. These fields contain a Reference Key which refers to the master entry you copied from.
KeePassNatMsg can use the built-in TOTP support in KeePass (since KeePass v2.47, official docs).
KeePassNatMsg can also use the existence of either KeeOtp (otp
) or KeeTrayTOTP (TOTP Seed
) string fields to detect when TOTP entries should be returned in credential requests.
First: If an error occurs it will be shown as notification in system tray or as message box in KeePass.
Otherwise please check if it could be an error of the client you are using. For keepassxc-browser issues you can report an error here.
If you are having problems with KeePassNatMsg, please tell us at least the following information:
- operating system & version
- version of KeePass
- version of KeePassNatMsg
- error message (if available)
- used clients and their versions
- URLs on which the problem occur (if available)
KeePassNatMsg can receive 2 different URLs, called URL and SubmitURL.
CompareToUrl = SubmitURL if set, URL otherwise
For every entry, the Levenshtein Distance of his Entry-URL (or Title, if Entry-URL is not set) to the CompareToURL is calculated.
Only the Entries with the minimal distance are returned.
###Example: Submit-Url: http://www.host.com/subdomain1/login
Entry-URL | Distance |
---|---|
http://www.host.com/ | 16 |
http://www.host.com/subdomain1 | 6 |
http://www.host.com/subdomain2 | 7 |
Result: second entry is returned