Skip to content
KeePass 2 plugin to automatically unlock databases with Windows Hello
C#
Branch: master
Clone or download
Latest commit 1f3343b Aug 21, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Update issue templates Jul 19, 2019
WinHelloUnlock Prepare next version Aug 22, 2019
.gitignore Fix help file and versioning Jul 19, 2019
LICENSE Create Licence Jul 19, 2019
ReadMe.md Update ReadMe.md Aug 22, 2019
ReleaseNotes.md Prepare next version Aug 22, 2019
WinHelloUnlock.sln Initial Commit Jul 19, 2019

ReadMe.md

WinHelloUnlock: Unlock KeePass 2 Databases with Windows Hello

Latest release GitHub issues Github All Releases License

This plugin for KeePass 2 password manager is intended to conveniently Unlock your database using biometrics with Windows Hello technology.

This plugin is heavily based on KeePassWinHello and KeePassQuickUnlock. I am not a programmer, so I copied most of the code from them, but implemented a different way of storing the MasterKey data to allow plugin functionality, even after rebooting your computer, using Password Vault, Password Credentials and Key Credentials from Windows UWP APIs.

Disclaimer

I tried my best to not compromise security! Please, take a look at the code and tell me what could be better. Having said that, we know nothing about Windows Hello internals, and how secure it actually is. By using this plugin, you are putting your trust in my implementation of Windows Hello technology (that you can check on the code), and Windows Hello robustness itself (that you cannot check).

Usage

With this plugin you may:

Unlock your database using Biometric via Windows Hello. Even after completely closing KeePass or rebooting your PC.

Systems Requirements

This plugin relies on Windows Hello API and its requirements.

Tested on HP Spectre x360 with KeePass 2.42.1.

How to Install

Place WinHelloUnlock.dll into Plugins folder in your KeePass installation (by default is C:\Program Files (x86)\KeePass Password Safe 2).

Setup

After installation, open your database and unlock it using your composite key. Unlocking with any combination of Password/KeyFile/WindowsUserAccount is supported. Secure Desktop is supported.

When your database is unlocked, you will be asked if you want to set up WinHelloUnlock.

A Windows Hello prompt will be shown to cryptographically sign and encrypt your Master Key data.

You should receive a confirmation after a successful set up.

Options

The plugin integrates itself into the KeePass settings dialog.

Available settings:

  • Enable or disable the plugin for this particular database. If you disable it, you will not be asked to set WinHelloUnlock every time you unlock your database.
  • Create or delete WinHelloUnlock data for this particular database.

Notes

No sensitive information including master passwords for databases are stored by the plugin in a plain text. A database key is encrypted and decrypted using Windows Hello API in order to unlock the database. KeePass Composite Key data is Encrypted with a Cryptographic Key signed with a Windows Hello Key Credential and saved as a Password Credential to a Password Vault. To decrypt this data, you need to:

  • Have access to the Password Vault
  • Have access to the Cryptographic Key
  • Be able to Cryptographically sign the Cryptographic Key with Windows Hello

So basically, you need to have access to the data, the hardware and the biometrics (or pin).

As I said, I'm not a programmer, so any criticism will be well received. Feel free to commit any change or PR.

Credits

WinHelloUnlock vs KeePassWinHello

By the time this plugin was created, KeePassWinHello did not have to option to remain active after Keepass is completly closed, so that was the main reason for it to be crated in the first place. I think they were working on that option, but I could not help them beacuse I did not understand most of their code (Way too advanced implementation for a beginner like me). I think they save the MasterKey info in memory, but WinHelloUnlock saves it encrypted to a Windows Password Credential.

WinHelloUnlock does not implement a way for the credential to expire (like KeePassWinHello do), but implements a way for the credential to be deleted by the user.

You can’t perform that action at this time.