KeePass   KeePass Help Center Home KeePass Home | Package Downloads | Flag Translations | Blocks Plugins | Donate Donate  
Home Help Center Home | People Forums | Award Awards | Link Links  


Plugin Development

How to develop plugins for KeePass 2.x.

This documentation applies to KeePass 2.x plugins. 2.x plugins are fundamentally different from 1.x plugins. 1.x plugins cannot be loaded by KeePass 2.x.

Info  Requirements

Before you can start developing a KeePass plugin, you need the following prerequisites:

Info  Step-by-Step Tutorial

Start your favorite IDE and create a new C# Class Library project (for the .NET Framework, not .NET Standard/Core). In this tutorial, the example plugin we're developing is called SamplePlugin. The first thing you need to do now is to add a reference to KeePass: go to the references dialog and select the KeePass.exe file (from the portable ZIP package). After you added the reference, the namespaces KeePass and KeePassLib should be available.

All KeePass plugins need to derive from a base KeePass plugin class (Plugin in the KeePass.Plugins namespace). By overriding methods and properties of this class, you can customize the behavior of your plugin.

A minimal plugin looks like this:

using System;
using System.Collections.Generic;

using KeePass.Plugins;

namespace SamplePlugin
	public sealed class SamplePluginExt : Plugin
		private IPluginHost m_host = null;

		public override bool Initialize(IPluginHost host)
			if(host == null) return false;
			m_host = host;
			return true;

You can find a fully documented and extended version of this simple plugin on the KeePass plugins web page.

This plugin does exactly nothing, but it shows some important conventions already, which must be followed by all plugins:

  • The namespace must be named like the DLL file without extension. Our DLL file is named SamplePlugin.dll, therefore the namespace must be called SamplePlugin.
  • The main plugin class (which KeePass will instantiate when it loads your plugin) must be called exactly the same as the namespace plus "Ext". In this case: "SamplePlugin" + "Ext" = "SamplePluginExt".
  • The main plugin class must be derived from the KeePass.Plugins.Plugin base class.

The Initialize function is the most important one and you probably will always override it. In this function, you get an interface to the KeePass internals: an IPluginHost interface reference. Through this interface you can access the KeePass main menu, the currently opened database, etc. The Initialize function is called immediately after KeePass loads your plugin. All initialization should be done in this method (not in the constructor of your plugin class!). If you successfully initialized everything, you must return true. If you return false, KeePass will immediately unload your plugin.

A second function that you will need very often is the Terminate method:

public override void Terminate()

This function is called shortly before KeePass unloads your plugin. You cannot abort this process (it's just a notification and your last chance to clean up all used resources, etc.). Immediately after you return from this method, KeePass can unload your plugin. It is highly recommended to free all resources in this method (not in the destructor of your plugin class!).

We're almost done! We now need to tell KeePass that our file is a KeePass plugin. This is done by editing the Version Information Block of the file. Open the file version editing dialog (in Visual Studio 2005: right-click onto the project name → 'Properties' → button 'Assembly Information'). All fields can be assigned freely except the Product Name field (for more information see Plugin Conventions). This field must be set to "KeePass Plugin" (without the quotes).

That's it! Now try to compile your plugin and copy the resulting DLL file into the KeePass directory. If you start KeePass and go to the plugins dialog, you should see your plugin in the list of loaded plugins.

Info  Providing the Primary Menu Item

[The following applies to KeePass ≥ 2.41, not ≤ 2.40]

Most plugins provide a primary menu item, which KeePass typically shows in the 'Tools' menu. Such a menu item can be supplied to KeePass by overriding the GetMenuItem method of your plugin class (which derives from the Plugin base class). This method should construct and return a ToolStripMenuItem.

The text of the menu item should be the name of your plugin or start with the name of your plugin. For example, a plugin 'Abcd' that wants to provide one menu item only (for accessing the plugin options) could set the text of the menu item to 'Abcd Options'. If the plugin supports multiple commands, set the menu item's text to the plugin name (e.g. 'Abcd') and add a subitem for each command.

The GetMenuItem method should always construct and return a new ToolStripMenuItem. Do not cache the menu item or any of its subitems for later purposes (KeePass may invoke the GetMenuItem method multiple times and show the menu items in multiple places; if your plugin would cache the menu item, trying to show it in multiple places would result in problems, because a ToolStripMenuItem can have only one parent item).

KeePass takes ownership of the returned menu item (and its subitems). The plugin should not add or remove the item to/from any menu itself.

If your plugin does not have any options and no command that is suitable as primary plugin command, no menu item for the plugin is necessary. In this case, do not override the GetMenuItem method.


public override ToolStripMenuItem GetMenuItem()
	ToolStripMenuItem tsmi = new ToolStripMenuItem();
	tsmi.Text = "Abcd Options";
	tsmi.Click += this.OnOptionsClicked;
	return tsmi;

private void OnOptionsClicked(object sender, EventArgs e)
	// Called when the menu item is clicked

For an example how to create a primary menu item with subitems, see the SamplePlugin example plugin (obtainable from the KeePass plugins page).

Info  Plugin Conventions

File Version Information Block:

KeePass uses the file version information block to detect if a DLL file is a KeePass plugin and retrieves information from it to show in the plugins dialog. The fields are used as follows:

  • Title: Should contain the full name of the plugin.
  • Description: Should contain a short description (not more than 5 lines) of your plugin.
  • Company: Should contain the author name of the plugin.
  • Product Name: Must be set to "KeePass Plugin" (without the quotes).
  • Copyright: Not used by KeePass; freely assignable by the plugin.
  • Trademarks: Not used by KeePass; freely assignable by the plugin.
  • Assembly Version: Should be set to the version of your plugin.
  • File Version: Should be set to the version of your plugin. It is up to you how you are versioning your plugin builds, but it should be a scheme that allows version comparisons (by comparing the version components). Do not use asterisks for creating a version number at build time.
  • GUID: Not used by KeePass; freely assignable by the plugin.

Namespace and Class Naming:

The namespace must be named like the DLL file without extension. For example, if the DLL file is named SecretImporter.dll, you must call the namespace SecretImporter.

The plugin class must be named like the namespace plus "Ext". For the SecretImporter plugin, this would be SecretImporterExt.

Exchange  Update Checking

The update check of KeePass ≥ 2.18 can also check for plugin updates. Update check support is optional; plugins don't have to support update checks.

In order to support update checks, plugin developers need to do the following:

  • Provide version information file. When an end-user invokes an update check, KeePass downloads a version information file, which specifies the current version numbers of one or more plugins. Every plugin author hosts an own version information file. The format of the version information file is described in detail below.
  • Let KeePass know. In order to be able to check the plugin's version, KeePass must know where your version information file is located. To let KeePass know, override the UpdateUrl string property of your plugin class (the one derived from Plugin) to return the full, absolute URL of your version information file. This should be an https:// URL (for backward compatibility, KeePass also supports http:// and ftp://, but for security reasons https:// should be used).

Plugin developers have to update their version information file each time they release new versions of their plugins.

Version information file format.

  • The file is a simple text file. It must be encoded using UTF-8 without a byte order mark (KeePass ≥ 2.21 supports UTF-8 BOMs in version information files, however for compatibility with KeePass < 2.21 it is recommended not to use a BOM). All line endings are supported.
  • The first line of the file must start with a separator character of your choice. The separator character may be any character, but it must not appear within plugin names and versions. Suggested is ':'.
  • Each of the following lines specifies a plugin name and its currently available version, separated by the separator character that was specified in the header line.
  • As plugin name, the value of the 'Title' field in the version information block of the plugin must be specified. For managed plugins, this is the value specified using the AssemblyTitle assembly attribute.
  • As version number, the value of the file version in the version information block of the plugin must be specified. For managed plugins, this is the value specified using the AssemblyFileVersion assembly attribute. Trailing .0 may be removed (e.g. specify 1.3 instead of
  • The file must end with a line containing only the separator character.
  • You may optionally compress your version information file using GZip (note this is not the same as Zip). The file name must then end with ".gz".

Example. Let's assume you're developing two plugins: MyPlugin1 (version 1.5) and MyPlugin2 (version Then your version information file could look as follows:


If you've developed multiple plugins, it is recommended to create one version information file, list all your plugins in this file and specify the URL of the file in all your plugins. When KeePass checks for updates, it'll download your version information file only once. This reduces network traffic and is faster than downloading a version information file for every plugin separately.

Signing. Since KeePass 2.34, you can optionally digitally sign your version information file using RSA / SHA-512.

  • An RSA key pair can for instance be generated like the following:
    using(RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(4096))
    	rsa.PersistKeyInCsp = false;
    	Console.WriteLine("Private key: " + rsa.ToXmlString(true));
    	Console.WriteLine("Public key: " + rsa.ToXmlString(false));
    All key lengths supported by RSACryptoServiceProvider are supported by KeePass (up to .NET 4.5 that is 384 to 16384 bits in 8 bit steps). We recommend at least 2048 bits; the main version information file (containing the KeePass version) uses 4096 bits.
  • In order to tell KeePass to accept a specific version information file only when it's verifiable with a specific public key, your plugin must call the UpdateCheckEx.SetFileSigKey method to associate the specified URL with the specified public key. The public key must be an XML string in the format as returned by the RSACryptoServiceProvider.ToXmlString method. Do not store the private key in your plugin, only the public key.
  • To sign an unsigned version information file, hash all trimmed non-empty lines between the header and the footer line using SHA-512, UTF-8 encoding, each line terminated by '\n' (not "\r\n"). Sign the hash using the private key (if you're using RSACryptoServiceProvider: load the private key using its FromXmlString method, then compute the signature using the SignData method). Encode the hash using Base64 and append it to the first line of the version information file.

Info  Can KeePass 2.x Plugins be Written in Unmanaged C++?

Yes and no. You can write the logic of your plugin in unmanaged C++ (native Win32 APIs can be used). However, you must provide a managed interface to your plugin, i.e. you must export a managed class derived from the Plugin base class as described in the step-by-step tutorial. Also, managed C++ is required to modify the KeePass internals (entries, groups, main window, ...).

For an example how to use unmanaged APIs in a managed C++ plugin assembly, see the SamplePluginCpp sample plugin (obtainable from the KeePass plugins page).

Due to compatibility reasons, it is highly recommended to develop plugins in C#, not in C++.

Info  PLGX Files

PLGX is an optional plugin file format for KeePass ≥ 2.09. Instead of compiling your plugin to a DLL assembly, the plugin source code files can be packed into a PLGX file and KeePass will compile the plugin itself when loading it. The advantage of this approach is that plugins don't need to be recompiled by the plugin developers for each KeePass release anymore (as KeePass compiles the plugin itself, the generated plugin assembly references the current, correct KeePass assembly). Instead of shipping a plugin DLL assembly, you ship the PLGX.

For users, nothing changes. Instead of putting the plugin DLL assembly into the KeePass application directory, the PLGX file needs to be put there.

KeePass ≥ 2.14 also loads older plugin DLLs. However, an API within KeePass might have changed and .NET detects this when the plugin tries to call/access the method/class, not at loading time. This means that an incompatibility is detected relatively late and might crash KeePass. In contrast, when using the PLGX format, an incompatibility is detected immediately at loading time: if there is a problem, the compile process will just fail and KeePass can present an informative plugin incompatibility message to the user. Therefore, it is recommended that plugin developers create/ship PLGX files, not DLLs.

Creating PLGX files. PLGX files can be created from plugin sources by calling KeePass.exe with the --plgx-create command line option. If you additionally pass a path to the plugin sources directory (without terminating separator), KeePass will use this one; otherwise it'll show a folder browser dialog to allow you selecting the directory. If you want to pass the directory location using the command line, make sure that you're specifying a full, absolute path -- relative paths will not work.

In order to keep the size of the PLGX file small, it is recommended that you clean up the plugin sources directory before compiling the PLGX. Remove all unnecessary binary files (files in the bin and obj directory); especially, delete any plugin assembly DLL that you compiled yourself. Temporary files by the IDE (like .suo and .user files) can also be deleted.

PLGX features.

  • Extensible, object-oriented file format.
  • Compression support (data files are compressed using GZip).
  • .csproj support. KeePass retrieves all information required for compiling the plugin assembly from the .csproj file in the plugin sources.
  • Embedded resources support.
  • Referenced .NET assemblies support. References information is read from the .csproj file.
  • Referenced custom assemblies support. Third-party assemblies required by the plugin (references to DLLs) are supported, provided that the third-party assembly is located in the plugin source code directory (or any subdirectory of it).
  • ResX support. .resx files are automatically compiled to binary .resources files.
  • PLGX cache. PLGX files are compiled once and the generated assembly is stored in a cache. For all following KeePass starts, no compiling is required.
  • PLGX cache maintenance. The size of the PLGX cache can be seen in the KeePass plugins dialog. Here, the cache can also be marked to be cleared (it will be cleared when KeePass is started the next time). An option to automatically delete old files from the cache is supported and enabled by default.

PLGX limitations.

  • Currently only C# is supported (not Visual Basic or any other .NET language).
  • Linked resources (in different assemblies) are unsupported.
  • Dependencies on other projects are unsupported (reorganize your project to use custom assembly references instead).

Defining prerequisites. You can optionally specify a minimum KeePass version, a minimum installed .NET Framework, an operating system and the minimum size of a pointer (x86 vs. x64) using the --plgx-prereq-kp:, --plgx-prereq-net:, --plgx-prereq-os: and --plgx-prereq-ptr: command line options. If one of the plugin prerequisites isn't met, KeePass shows a detailed error message to the end-user (instead of a generic plugin incompatibility message). Build example:
KeePass.exe --plgx-create C:\YourPluginDir --plgx-prereq-kp:2.09 --plgx-prereq-net:3.5

Valid operating system values are Windows and Unix. When running on an unknown operating system, KeePass defaults to Windows. Pointer sizes (checking for x86 vs. x64) are specified in bytes; for example, to only allow running on x64, you specify --plgx-prereq-ptr:8.

Build commands. Optionally you can specify pre-build and post-build commands using --plgx-build-pre: and --plgx-build-post:. These commands are embedded in the PLGX file and executed when compiling the plugin on the end-user's system.

In the build commands, the placeholder {PLGX_TEMP_DIR} specifies the temporary directory (including a terminating separator), to which the files were extracted. In the post-build command, {PLGX_CACHE_DIR} is replaced by the cache directory of the plugin (including a terminating separator), into which the generated assembly was stored.

These build commands can for example be used to copy additional files into the cache directory. Example:
KeePass.exe --plgx-create C:\YourPluginDir --plgx-build-post:"cmd /c COPY """{PLGX_TEMP_DIR}MyFile.txt""" """{PLGX_CACHE_DIR}MyFile.txt""""

In order to specify a quote character on the command line, it has to be encoded using three quotes (this is Windows standard, see MSDN: SHELLEXECUTEINFO). So, the command line above will actually embed the post-build command cmd /c COPY "{PLGX_TEMP_DIR}MyFile.txt" "{PLGX_CACHE_DIR}MyFile.txt" into the PLGX, which is correct. It is highly recommended to surround paths including PLGX placeholders using quotes, otherwise the command will not run correctly if the path contains a space character (which happens very often).

If you need to run multiple commands, write them into a batch file and execute it (with cmd). If you need to perform more complex build tasks, write an own building executable and run it using the build commands (typically it is useful to pass the directory locations as arguments to your building executable), for example:
KeePass.exe --plgx-create C:\YourPluginDir --plgx-build-post:"{PLGX_TEMP_DIR}MyBuild.exe {PLGX_TEMP_DIR} {PLGX_CACHE_DIR}"

PLGX debugging. When the command line option --debug is passed and a PLGX plugin fails to compile, the output of all tried compilers is saved to a temporary file.

Valid XHTML 1.0 Transitional Document

Get KeePass

Copyright © 2003-2018 Dominik Reichl, [Legal Contact / Imprint] [Terms & Privacy] [Acknowledgements] [Donate]