KeePass batch scripting for secure and automatic databases on boot or login using PASSWORD_ENC

KeePass. The venerable KeePass.
You need to use a password manager. Not a Word or Excel document. Not a napkin or Post-it note. A real password manager. I recommend KeePass. You may prefer LastPass or SplashID. Regardless, I reiterate: you need to use a password manager.

Having used KeePass 8+ years and with hundreds of saved passwords, it is one of my most used applications. Anything that falls under PCI or HIPAA is in a KeePass database.

All that said, KeePass is typically the first program I execute upon logon. If you are following best practices, upon logon, you then have to type a very long password accompanied by a keyfile (optional) to open your KeePass database. I am not going to cover in this post what makes a strong password and what are appropriate password lengths.

You might ask, why not just use Windows user accounts introduced in KeePass 2.x? Two main drawbacks: 1) If your Windows user profile (UID) is corrupt/lost, you cannot access your KeePass database, and 2) if you want to synchronize your database, it cannot use Windows user accounts.

So, how to do you securely launch KeePass using command line without putting your password in the batch file as plaintext?

Based on the excellent post in this superuser thread along with more guidance from this post, you can securely script your KeePass databases. Here is how:

  1. Create a file called “RunMeKeePass.bat”
  2. Right click on the file and choose Edit.
  3. Go into your KeePassdatabase your want to script, and create a new, temporary entry called “RunMeKeePass.bat” (or whatever you called the filename in step 1).
  4. Go to the “Auto-Type” tab and hit the “Override default sequence” radio button, and copy/paste “{PASSWORD_ENC}” into the field.
    keepass_auto-type
  5. Leaving KeePassopen, go back to Notepad where you are editing the empty “RunMeKeePass.bat”. Hit Crtl+Alt+A to active the KeePass auto-type feature. Read more here about it if this step does not work or if you changed the default hotkey. Auto-type is one of the best features of KeePass. After hitting Crtl+Alt+A, KeePass should start spitting out a very long password string. You can read more about {PASSWORD_ENC} here, towards the bottom. In short, is long, generated string is a unique password for your KeePassdatabase that only works under your current username. This is what makes the method secure. You assume you have a secure user session because you as a user are scripting it. If someone manages to take this unique password string, it will not work on another PC/user opening the same/original KeePass. It only opens your KeePass database under your Windows user on this unique PC (UID/SID).
    Save this string.
  6. Now its time to script the password string into actually launching KeePass.
    Here is example .bat file script:

    echo KeePass DB #1 without a keyfile
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    
    TIMEOUT 2
    
    echo KeePass DB #2 WITH a keyfile
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    SET KEYFILE="%USERPROFILE%\Documents\<LOCATION OF KEYFILE>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -keyfile:%KEYFILE% -pw-enc:%PASSWORD_ENC%
    
    TIMEOUT 2
    
    echo Re-opening KeePass DB #1 to bring it in focus
    SET DATABASE="%USERPROFILE%\Documents\<LOCATION OF KEEPASS DATABASE .kdbx>"
    SET PASSWORD_ENC="<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>"
    START "" "%programfiles(x86)%\KeePass Password Safe 2\KeePass.exe" %DATABASE% -pw-enc:%PASSWORD_ENC%
    
    REM To Generate the pw-enc password string (which is specific to the Window user's UID), create a "dummy entry" in KeePass.
    
    REM Courtesy of: http://ddaydj.blogspot.de/2011/07/automatically-open-secure-keepass.html
    REM and http://superuser.com/questions/240657/make-keepass-database-accept-but-not-require-two-unlocking-methods
    REM and http://sourceforge.net/p/keepass/discussion/329221/thread/bdcb75db
    
    

    Basically replace “<COPY/PASTE THE LONG, AUTO-TYPED PASSWORD STRING>” with the auto-typed password from the earlier step. In Line 2, set the correct location for your KeePass database (.dbbx) file. Line 3 is for 64-bit Windows7/8/10; for 32 u(x86) for 32-bit versions.

    I provided multiple examples. The 2nd example uses a keyfile. Should be self-explanatory.

    You may also wonder why I commented “Re-opening KeePass DB #1 to bring it in focus”. KeePass, when it opens multupe tabs, keeps track of the order which files are opened. When you have multiple files and you use auto-type with multiple matches, the order of the UI is based on the order of opened files. By “re-opening” the first file, it bring that database tab to the forefront but it is still opened first keep it at the top of auto-type matches.

  7. The last step is to launch your “RunMeKeePass.bat” file. I chose to use Task Scheduler; Tigger=”At log on” and it calls the .bat file. I unchecked the “Start the task only if the computer is on AC power” (since I primarily use this on a Surface Pro 3). Read here if you need additional help in creating the Scheduled Task. The Task Scheduler “triggers” are rather powerful; e.g. if you configured KeePass to automatically lock your database after a certain amount of time, you could add additional triggers for “On workstation unlock” and “On connection to user session” for local and remote computers and open/close KeePass depending on your application.
    Another option is to run have a shortcut placed in the “Startup” folder; read more here for details on how to create it.

Now that you can more easily launch KeePass, you have no excuse not to use it (or  something like it). Enjoy. Here is the PASSWORD_ENC man page.