KeePass   KeePass Help Center Home KeePass Home | Package Downloads | Flag Translations | Blocks Plugins | Donate Donate  
Home Help Center Home | People Forums | Award Awards | Link Links | Search Search  


Application Policy

Details about the application policy system within KeePass.

Users  Help for Users

Application policy is a KeePass feature that enables administrators to prevent you from accidently compromising the security system of your company.

Operations like exporting password entries to non-encrypted files or printing for example can be prevented effectively using the application policy.

If you are using KeePass at home, you can ignore the application policy (everything allowed anyway) or reduce your rights using the policy yourself, in order to avoid accidental leakage of sensitive information.

In order to prevent changing the policy after it has been specified, it is recommended to use an enforced configuration file.

Administrator  Help for Administrators

KeePass can be installed on a network drive and a policy can be enforced (like not permitting users to print the password list).

The application policy enforcement is based on the mechanism how KeePass stores configuration settings. You first need to understand this method before you can continue creating a policy: Configuration.

A policy-enforcing KeePass installation looks like the following: the KeePass application files are stored on the network drive and all users are starting KeePass from this drive (i.e. they only have links to the executable on the network drive). By using an enforced configuration file on the network drive (remember that this file overrides all others), a policy can be enforced.

In order to create such an installation, follow these steps:

  1. Copy KeePass to a common network drive, which supports file permissions (like NTFS). All users must have access to it.
  2. Adjust the file permissions: allow users only to read and execute all KeePass files, don't allow write access.
  3. Adjust the file permissions for KeePass.exe: only Execute must be allowed, all other permissions should be disabled (including Read access).
  4. Start KeePass. Open the Options dialog, switch to the Policy tab and configure the policy. Exit KeePass.
  5. Rename the KeePass.config.xml file to KeePass.config.enforced.xml.

That's it. You created a policy that is enforced on all computers, including your own one (until you change the enforced configuration file on the network drive).

Locked  Policy Security

Recall what the policy mechanism looks like: KeePass and the configuration file are stored on the network drive. If you grant your users free access to the internet or allow them to insert CD-ROMs/DVDs/USB-Sticks, nothing prevents a user to download a fresh copy of KeePass and run it. In this case the policy isn't enforced, as the downloaded KeePass doesn't know anything of the enforced configuration file on the network drive.

Policy enforcement therefore only is effective if your users really use the KeePass version installed on the network drive.

Valid XHTML 1.0 Transitional Document

Get KeePass

Flattr this

KeePass is OSI Certified Open Source Software
Copyright © 2003-2017
Dominik Reichl, [Legal Contact / Imprint] [Disclaimer] [Acknowledgements] [Donate], Downloads hosted at

Get KeePass at