KeePass Help Center KeePass Home | Downloads | Translations | Plugins | Donate 
Help Center Home | Forums | Awards | Links 







KeePass 1.24 and 2.20 Header Authentication

Problem and solutions when upgrading to KeePass 1.24 and 2.20.


Problem

KeePass 1.24 and 2.20 introduced authentication of header data in KDB and KDBX database files. This is a security improvement for the file formats to prevent silent data removal/corruption attacks.

The feature has been designed and implemented in a forward-compatible way for both formats. KeePass 1.23 and 2.19 can still open KDB and KDBX files created by KeePass 1.24 and 2.20. Obviously, KeePass 1.23 and 2.19 do not know anything about the header authentication yet and thus do not detect tampered headers; the newer KeePass versions are required for this.

However, some KeePass ports (like KeePassBB2 2.0.1527) check compatibility incorrectly or perform non-standard validations, resulting in the inability to open KDB and KDBX files created by KeePass 1.24 and 2.20. These ports must be updated in order to be able to open the newer file formats.


Solutions

Until all KeePass ports have been updated, there are three solutions:

  • Continue using KeePass 1.23 and 2.19.
    KeePass 1.23 and 2.19 are the last versions that do not save files in the newer format yet.

    If you already upgraded to KeePass ≥ 1.24 or ≥ 2.20 and want to downgrade now, you can find the older KeePass builds in the KeePass Downloads Archive. After downgrading the application, open your KDB/KDBX file (possible due to the forward compatibility mentioned above) and save it. The saved file can then be opened using the port again.

  • KeeOldFormatExport plugin for KeePass ≥ 2.20.
    The KeeOldFormatExport plugin adds support for exporting to old KeePass file formats (KDB 1.23 and KDBX 2.19). The export process can be automated. For details, please see the ReadMe file of the plugin.

  • KdbxDowngrade plugin for KeePass ≥ 2.20.
    If the KeePass port only checks compatibility incorrectly, but does not perform non-standard validations, the following approach using a plugin can be used. The KdbxDowngrade plugin can be downloaded here:

    After unpacking the package and copying the plugin into the KeePass application directory (where KeePass.exe is), two files are created each time you save a database:

    • <Name>.kdbx. This is the normal database file saved by KeePass. It can be opened by KeePass ≥ 2.20, but not by the port.
    • <Name>_Downgraded.kdbx. This is a modified version of the database file. The port can open this file. However, it cannot be opened by KeePass ≥ 2.20, because it detects a modification of the header and interprets it as corruption.

    So, when using this approach, you work with the normal database file on the PC and the <Name>_Downgraded.kdbx file can be used by the port. Changes to the database must be done using the PC application (changes made to <Name>_Downgraded.kdbx are ignored and overwritten).

    Again, we would like to emphasize that this plugin approach only works for some ports, not for all (it does not work for ports performing non-standard validations). It does work e.g. with KeePassBB2 2.0.1527.

Of course, as soon as an updated version of the port is available, it is highly recommended to install the latest versions of both KeePass and the port.


For Developers

The source code of the KdbxDowngrade plugin can be downloaded here: KdbxDowngrade v1.1 for KeePass ≥ 2.20.





Get KeePass