Passwords and Key-Disks

KeePass stores your passwords securely in an encrypted database. This database is locked with a master password and/or a key-disk.


Master Passwords

If you use a master password, you only have to remember one password or passphrase (which should be good then!). KeePass has some basic protection against brute-force and dictionary attacks, read the security information page for more about this.

If you forget this master password, all your other passwords in the database are lost, too. There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.


Key-Disks

You don't even have to remember a long, complicated master passphrase. The database can alternatively be locked using a key-disk. A 'key-disk' is just a normal disk which holds a file with password bytes (KeePass can generate such disks for you). If you want, you can also select the key-file (which is stored on the key-disk) manually, i.e. one disk can store multiple keys for multiple databases. In this case, you have to tell KeePass which file it should use, you cannot simply select a drive then any more (when you just select a drive, KeePass assumes that it should load the 'pwsafe.key' file in the root directory of the disk).

If you lose the key-disk (or more precise: the key-file) and have no backup copy of the key-file, your passwords in the database are lost, too. It's just the same as forgetting the master password.

To backup a key-disk, backup the file 'pwsafe.key', which is stored in the root directory of your key-disk. If you've chosen to select the key-file manually (i.e. it's not automatically named 'pwsafe.key'), you need to backup this file.


Master Password and Key-Disk

Last but not least KeePass supports combining the two locking method above. Databases can be locked using a key-file and a master password. If you lose one of them, you cannot unlock your database. On the other hand: if someone steals your key-disk and password database, the database is still secure because the attacker doesn't know your master password.