Plugins (2.x) Installation, uninstallation and security of KeePass 2.x plugins.

• Introduction
• Online Resources
• Installation and Uninstallation
• Security
• Cache

Introduction

KeePass features a plugin framework. Plugins can provide additional functionality, like support of more file formats for import/export, network functionalities, backup features, etc.

Online Resources

Plugins can be found on the Plugins page.

Installation and Uninstallation

If there are no explicit instructions how to install the plugin, follow these steps:

1. Download the plugin from the page above and unpack the ZIP file to a new folder.
2. In KeePass, click 'Tools' → 'Plugins' → button 'Open Folder'; KeePass now opens a folder called 'Plugins'. Move the new folder (containing the plugin files) into the 'Plugins' folder.
3. Restart KeePass in order to load the new plugin.

To uninstall a plugin, delete the plugin files.

Linux:
On some Linux systems, the mono-complete package may be required for plugins to work properly.

Portability:
PLGX plugins are compiled by KeePass and the generated files are stored in a plugin cache, which by default is located in the user's application data directory (so, running a PLGX plugin by default creates files outside the KeePass application directory). These plugin cache files do not need to be copied to other systems though, because they are generated on each system and do not contain any user data.

Security

Plugins must be stored in the 'Plugins' folder of the KeePass application directory. An attacker who can copy a malicious plugin into this folder could typically also replace the 'KeePass.exe' file by malware. As protection against such attacks, an appropriate file system access control list (ACL) should be used (for the whole KeePass application directory, including the 'Plugins' folder); administrator privileges should be required for write access.

• The KeePass installer and the MSI package install KeePass into the Program Files directory by default. This directory typically has an appropriate ACL, and the KeePass application directory inherits this ACL. So, you do not need to specify an ACL manually.
• If you installed KeePass to a different directory or if you use the portable package, it is recommended that you specify an appropriate ACL manually.

DLL vs. PLGX:
KeePass supports two plugin file formats: DLL and PLGX. A DLL plugin is loaded directly, whereas KeePass needs to compile a PLGX plugin to a DLL plugin first, which is then stored in a plugin cache (see the section below).

By default, the user has write access in the PLGX plugin cache directory (without administrator privileges). This is not a security vulnerability. Let us assume that an attacker has write access in the plugin cache directory and the goal is code execution. The plugin cache folder is typically located in the user's profile directory and has the same ACL, i.e. the attacker has write access in the user's profile directory. With this, there are many ways to execute malware (a few examples can be found here: 'Write Access to Configuration File'). Stand-alone malware can also be specialized on attacking KeePass (see 'Specialized Spyware'); it does not need to be a plugin for this. Furthermore, an anti-virus software scans all files containing executable code (EXE, DLL, ...); a malware is either detected or not, independent of where in the user's profile directory it is stored.

If you worry about this anyway, consider to adjust the ACL of the PLGX plugin cache directory to require administrator privileges for write access. Note though that this may result in some plugins not working properly anymore (those that assume to have write access in the plugin cache directory), and the KeePass option 'Delete old files from cache automatically' also may not work anymore.

In the case of a dual package (DLL and PLGX in the same folder), KeePass loads the DLL file (and ignores the PLGX file), if possible.

Cache

PLGX plugins (not DLL plugins) are compiled and stored in a plugin cache directory on the user's system. This cache improves the startup performance of KeePass. Old files are normally deleted from the cache automatically (this can be disabled in the plugins dialog). The cache does not contain any user data.

By default, the plugin cache is located in the user's local application data directory (%LOCALAPPDATA%\KeePass\PluginCache). However, this can be overridden using the Application/PluginCachePath setting in the enforced configuration file (this setting supports placeholders and environment variables). So, if you are for example using KeePass on a portable device and do not want the cache to be on the system, you could set the path to {APPDIR}\PluginCache.

Do not relocate the plugin cache into the 'Plugins' folder of the KeePass application directory, because this can result in a severe performance degradation.