Quick unlock with Windows Hello for KeePass 2
With this plugin you may:
Unlock your database with your masterkey/keyfile/other provider;
Lock the database (for example, applying autolock on minimize);
When you try to unlock it again, if Windows Hello is available on your system and active for the database, a Windows Hello prompt will be shown over a classic KeePass unlock prompt;
This plugin relies on Windows Hello API and its requirements.
There are some known issues with Windows Hello reported by community. Please, check here before write issue.
Tested on Microsoft Surface Pro 2017 with KeePass 2.39.1 and 2.42.1.
How to Install
Place KeePassWinHelloPlugin.plgx into
Plugins folder in your KeePass installation
(by default is
C:\Program Files (x86)\KeePass Password Safe 2).
Or you can use Chocolatey to install it in a more automated manner:
choco install keepass-plugin-winhello
By default this plugin holds an encrypted master password in memory and removes it upon KeePass closing. In order to be able to unlock your database via Windows Hello authentication in between KeePass launches you may check "Store keys in the Windows Credential Manager" on in the Options dialog. This will prompts you for creating a persistent key signed with your biometry via Windows Hello. The key is used to encrypt master passwords for securely storing them in the Windows Credential Manager.
The plugin integrates itself into the KeePass settings dialog.
- Valid time period (default: 24 hours): Choose how long a saved key will be available. Once this period has expired you need to provide your full password to unlock the database again.
- Storage location: Choose where to hold encrypted master passwords - in the KeePass process memory (by default) or in the Windows Credential Manager.
- Revoke all: Allows you to delete all stored keys.
No sensitive information including master passwords for databases are stored by the plugin in a plain text. A database key is encrypted and decrypted using Windows Hello API in order to unlock the database.