KeePass Help Center KeePass Home | Downloads | Translations | Plugins | Donate 
Help Center Home | Forums | Awards | Links 

Application Policy

Details about the application policy system within KeePass.

Help for Users

Application policy is a KeePass feature that enables administrators to prevent you from accidently compromising the security system of your company.

Operations like exporting entries to non-encrypted files or printing for example can be prevented effectively using the application policy.

If you are using KeePass at home, you can ignore the application policy (everything allowed anyway) or reduce your rights using the policy yourself, in order to avoid accidental leakage of sensitive information.

In order to prevent changing the policy after it has been specified, it is recommended to use an enforced configuration file.

Help for Administrators

KeePass can be installed on a network drive and a policy can be enforced (like not permitting users to print the entry list).

The application policy enforcement is based on the mechanism how KeePass stores configuration settings. You first need to understand this method before you can continue creating a policy; see the configuration help page.

A policy-enforcing KeePass installation looks like the following: the KeePass application files are stored on the network drive and all users are starting KeePass from this drive (i.e. they only have links to the executable on the network drive). By using an enforced configuration file on the network drive (remember that this file overrides all others), a policy can be enforced.

In order to create such an installation, follow these steps:

  1. Copy KeePass to a shared network drive that supports file access rights (like NTFS).
  2. Create an enforced configuration file that enforces the application policy settings that you wish.
  3. Adjust the file access rights: allow users only to read and execute all KeePass files, no write access.

Policy Security

Recall what the policy mechanism looks like: KeePass and the configuration file are stored on the network drive. If you grant your users free access to the Internet or allow them to insert CD-ROMs/DVDs/USB-sticks, nothing prevents a user to download a separate copy of KeePass and run it. In this case the policy isn't enforced, as the downloaded KeePass doesn't know anything of the enforced configuration file on the network drive.

Policy enforcement therefore only is effective if your users really use the KeePass version installed on the network drive.

Get KeePass