KeePass database files are encrypted. KeePass encrypts the complete database, i.e. not only your passwords. The user names, notes, etc. are encrypted, too.
Databases are encrypted using one of the following block ciphers:
These algorithms are well-known, analyzed thoroughly and considered to be very secure (see  for comments by the NIST on AES for example). AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
KeePass 2.x OnlyKeePass 2.x doesn't support Twofish, but additional encryption algorithms can be provided by plugins.
The block ciphers are used in the CBC (cipher-block chaining) block cipher mode. In CBC mode, plaintext patterns are concealed.
For both algorithms, a 128-bit initialization vector (IV) is generated randomly each time you save the database. This allows multiple databases to be encrypted using the same key without observable patterns being revealed.
Hashing and Key Derivation
In order to generate the 256-bit key for the block ciphers, the Secure Hash Algorithm SHA-256 is used. This algorithm compresses the user key provided by the user (consisting of password and/or key file) to a fixed-size key of 256 bits. This transformation is one-way, i.e. it is computationally infeasible to invert the hash function or find a second message that compresses to the same hash.
When using both password and key file, the final key is
derived as follows:
Random Number Generation
KeePass needs to generate several random bytes (for the IV, the master key salt, etc.). For this, several pseudo-random sources are used: current tick count, performance counter, system date/time, mouse cursor position, memory status (free virtual memory, etc.), active window, clipboard owner, various process and thread IDs, various window handles (active window, desktop, ...), window message stack, process heap status, process startup information and several system information structures. Additionally, KeePass uses random bytes provided by the system's default CSP RNG.
This pseudo-random data is collected in a random pool. To generate 16 random bytes, the pool is hashed (SHA-256) with a counter. The counter is increased after 16 generated bytes. This way, as many secure random bytes can be produced efficiently as needed.
Protection against Dictionary Attacks
KeePass supports a protection against guessing and dictionary attacks.
You can't really prevent these attacks: nothing prevents an attacker to just try all possible keys and look if the database decrypts. But what we can do (and KeePass does) is to make it harder: by adding a constant work factor to the key initialization, we can make them as hard as we want.
To generate the final 256-bit key that is used for the block cipher, KeePass first hashes the user's password using SHA-256, encrypts the result N times using the Advanced Encryption Standard (AES) algorithm (called key transformation rounds from on now), and then hashes it again using SHA-256. For AES, a random 256-bit key is used, which is stored in the database file. As the AES transformations aren't pre-computable (key is random), an attacker has to perform all the encryptions, too, otherwise he cannot try and see if the current key is correct.
An attacker now needs much more time to try a key. If he can only try a few keys per second, a dictionary attack is not practical anymore. N is a work factor, only indirectly a time factor. A super computer can try a key a lot faster than a standard PC, but anyway testing one key with N transformation rounds will take N times longer than trying a key with no transformation rounds on the super computer.
By default, KeePass sets N to 6000 encryption rounds (full encryptions are meant; N has nothing to do with the internal encryption rounds of AES). This number has been chosen in order to provide compatibility with portable device versions (PocketPC processors are slower, therefore the key computation takes longer).
If you are using KeePass on PC only, it is highly recommended to increase the number of key transformation rounds. You can change the number in the database options dialog. Right of the field for the rounds, you'll find a button. When clicking this button, KeePass computes the rounds number that leads to a 1-second delay. Waiting 1 second at database opening isn't a problem, but for an attacker of course it is. But, the number can be freely set to a number of your choice; the button only should give you a rough idea how many rounds can be computed in 1 second on your computer.
This protection feature is only useful for master passwords; key files are random anyway, there's no need to transform the key file contents. Guessing the key file contents is equally hard to a brute-force attack on the final key.
KeePass uses multithreading to compute the transformations (the master key is split up to two parts of 128 bits, which is the AES block size). On dual/multi core processors, the computation can be twice as fast as on a single core processor.
On Windows Vista and higher, KeePass can use Windows' CNG/BCrypt API for the key transformations, which is about 50% faster than the KeePass built-in key transformation code.
KeePassX: In contrast to KeePass, the Linux port project 'KeePassX' only partially supports protection against dictionary and guessing attacks.
Process Memory Protection
While KeePass is running, sensitive data (like the hash of the master key and entry passwords) is stored encryptedly in process memory. This means that even if you would dump the KeePass process memory to disk, you couldn't find any sensitive data.
Additionally, KeePass erases all security-critical memory when it's not needed anymore, i.e. it overwrites these memory areas before releasing them (this applies to all security-critical memory, not only the password fields).
KeePass uses the Windows DPAPI for in-memory encrypting the sensitive data. With DPAPI, the key for in-memory encryption is stored in a secure, non-swappable memory area managed by Windows. DPAPI is available on Windows 2000 and higher. KeePass 2.x always uses DPAPI when it's available; in KeePass 1.x, this can be disabled (in the advanced options; by default using DPAPI is enabled; if it's disabled, KeePass uses the ARC4 encryption algorithm with a random key; note that this is less secure than DPAPI, mainly not because ARC4 cryptographically isn't that strong, but because the key for in-memory encryption is also stored in swappable process memory; similarly, KeePass 2.x falls back to encrypting the process memory using Salsa20, if DPAPI is unavailable). On Unix-like systems, KeePass 2.x uses Salsa20, because Mono doesn't provide any effective memory protection method.
For some operations, KeePass must make sensitive data available unencryptedly in process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must pass the cell content (the password) as unencrypted string (unless hiding using asterisks is enabled). Operations that result in unencrypted data in process memory include, but are not limited to: displaying data (not asterisks) in standard controls, searching data, replacing placeholders (during auto-type, drag&drop, copying to clipboard, ...), and computing password quality estimations.
Enter Master Key on Secure Desktop (Protection against Keyloggers)
Note: KeePass was one of the first (maybe even the first) password manager that allows entering the master key on a different/secure desktop!
KeePass 2.x has an option (in 'Tools' -> 'Options' -> tab 'Security') to show the master key dialog on a different/secure desktop (supported on Windows ≥ 2000), similar to Windows' User Account Control (UAC). Almost no keylogger works on a secure desktop.
The option is turned off by default for compatibility reasons.
More information can be found on the Secure Desktop help page.
KeePass 2.x OnlyNote that auto-type can be secured against keyloggers, too, by using Two-Channel Auto-Type Obfuscation.
Locking the Workspace
When locking the workspace, KeePass closes the database file and only remembers its path.
This provides maximum security: unlocking the workspace is as hard as opening the database file the normal way. Also, it prevents data loss (the computer can crash while KeePass is locked, without doing any damage to the database).
KeePass 2.x has an internal viewer/editor for attachments. For details how to use it for working with texts, see 'How to store and work with large amounts of (formatted) text?'.
The internal viewer/editor works with the data in main memory. It does not extract/store the data onto disk.
When trying to open an attachment that the internal viewer/editor cannot handle (e.g. a PDF file), KeePass extracts the attachment to a (EFS-encrypted) temporary file and opens it using the default application associated with this file type. After finishing viewing/editing, the user can choose between importing or discarding any changes made to the temporary file. In any case, KeePass afterwards securely deletes the temporary file (including overwriting it).
Each time you start KeePass, the program performs a quick self-test to see whether the block ciphers and the hash algorithms work correctly and pass their test-vectors. If one of the algorithms doesn't pass its test vectors, KeePass shows a security exception message box.
This section gives answers to questions like the following:
The answer to all these questions is: no. Adding any of these features would not increase security.
All security features in KeePass protect against generic threats like keyloggers, clipboard monitors, password control monitors, etc. (and against non-runtime attacks on the database, memory dump analyzers, ...). However in all the questions above we're assuming that there's a spyware program running on the system that's specialized on attacking KeePass.
In this situation, the best security features will fail. This is law #1 of the 10 Immutable Laws of Security  : "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore".
For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. The only way to discover this spyware is to use a program that the spyware doesn't know about or can't manipulate (secure desktop); in any case it can't be KeePass.
References and Further Reading
 National Institute of Standards and Technology: Report on the Development of the Advanced Encryption Standard (AES) (PDF).
 Bruce Schneier's blog: SHA-1 broken.
 Bruce Schneier's blog: Cryptanalysis of SHA-1, with comments about the impact of that discovery and what to do now.
 Scott Culp, Microsoft TechNet Essay, 2000: 10 Immutable Laws of Security.
 Jesper M. Johansson, Microsoft TechNet Magazine, 2008: Revisiting the 10 Immutable Laws of Security, Part 1.