KeePass Settings
Website Documentation for your KeePass client and Pleasant Password Server
It is possible to enforce the settings of the KeePass client with centralized config. The central configuration files are imported into Pleasant Password Server and rules can be managed for those config files per role/user.
This can be used to enforce security policies for settings such as:
- Lock Timeouts
- Generate Passwords
- Export password capability
- Memory security
- Plugin policy
- Certificate security/notifications
- Proxy Settings
Benefits of Centralized Configuration
A centralized configuration management software can significantly streamline the management of security, policies, and assets across teams, saving time and effort.
Improved Security & Privacy
- By centralizing management of policies and permissions, IT managers can enhance security: quickly identify and resolve any deviations from the established security policies. This proactive approach helps prevent potential security breaches. With data privacy and security increasing in importance, compliance & best practices has become more beneficial.
Efficiency and Consistency
- Centralization allows IT managers to apply uniform policies and permissions across the organization, ensuring consistency, reduces errors, and saves time spent on manual configuration.
Scalability
- As the organization grows, so does its IT infrastructure. A centralized system can easily accommodate this growth, allowing IT managers to efficiently manage an expanding number of assets and users.
Related:
Applies to:
- Enterprise edition or higher
Setup Centralized KeePass Policies
To accomplish this, we first need to create a configuration file from KeePass for Pleasant.
-
Open and log in to the KeePass client.
-
Set your configuration settings.
- Most settings can be found in the Tools -> Options dialog.
- There are additional settings that can be found in:
- File -> Database Settings
- Tools -> Generate Password
- Tools -> Tan Wizard
- Tools -> Triggers
- Help -> Help Source
-
Select File -> Export Configuration
- Save the file to a location on your hard drive.
-
Double-Check:
- That the options that you want to enforce, are specified in the config file. If not, go back to KeePass, toggle the option, export the config, and toggle that option in the file back to the value you want.
This configuration file is in a human-readable format called XML. It contains every setting used by KeePass including all of the user interface settings like window position, columns shown, etc.
Open your saved configuration file in a text editor (like Notepad or Notepad++) to edit the configuration file.
Refer to the sample configuration file to see lines that should and may be removed.
Repeat the process if more than one configuration is needed. Once the configuration file(s) are ready, it is time to set up the rules on Pleasant Password Server.
-
Open the Password Server administration web page
- (typically https://localhost:10001/).
-
Log is as an administrator (admin) and go to the Client Config tab.
-
In the first section, click the Upload button and select the KeePass configuration file you created.
- Once the file is uploaded, it will appear in the first table.
- The name may be changed by clicking the Edit button.
-
Create a new User or Role rule.
- Click the Create button on the appropriate table.
- Select a User or Role from the first drop down list.
- Set a value for the Sort Order (only for Role rules, see below).
- Select a configuration file from the second drop down list.
- Click the Save button.
Only one rule can be created for each user and role. Rules are selected on a first-found basis. If a user has a rule, then that is applied. If no user rule is found, then the role rules are searched. If there are multiple matches, then the rule with the lowest Sort Order value will be used. The rule for (everyone) is applied if no other matches are found.
If no rules are found or the configuration file is set to (none), then NO server configuration is enforced and the user will be free to make any changes to their settings. It is recommended that you create a rule for Administrators with a configuration of (none) so that Administrators can continue to have full access to KeePass settings.
The configuration file will be downloaded and applied the next time the user logs in or unlocks the KeePass client. KeePass will need to restart each time a new configuration file is downloaded so that the settings can be enforced.