Unlocking KeePass with a SmartCard

KeePass is great. I use it a lot.

I'm a bit paranoid, so my master passphrase tends to be (very) long.

Now that I have a USB SmartCard, It would be convenient (and more secure) if I could use it to unlock my KeePass database, instead of typing my whole master password each time, for all kinds of key-loggers to record...

Existing solutions

KeePass does not support using a certificate out of the box, but it can be done with plugins.

Unfortunately, none of the existing plugins do exactly what I want.

Some need the private key of the certificate to be exportable. (then why bother using a hardware secure element?)

Some use a signature as a secret. (I'm not a crypto expert, but signatures are not designed to do that. This is probably not a good practice...)

And most of all, all the solutions I reviewed are additive, which means that the certificate can only be used as a part of the composite master key used by KeePass to protect the database.

It's not possible to use either a passphrase, or a certificate to unlock the database.

So I created my own plugin...

Introducing: KeePass Certificate Shortcut Provider

This plugin allows you to open your database using either a master password OR an X.509 certificate.


The provider generates a .cspkey file (Certificate Shortcut Provider Key) containing the master password encrypted with the public part of an X.509 certificate.

When the provider is used, it decrypts the master password using the private part of the certificate, and returns it to KeePass.

This way, it's possible to easily open the database using only a certificate.

If required—on a KeePass version without plugins, like Android—the database can always be opened using only the master password.

Is it secure?

It should be.

If you use a certificate with a strong enough key (RSA with at least a 1024 bits key is recommended), the limiting factor should be the strength of your master password.

If you think otherwise, please contact me...

What kind of certificates can I use?

For now, only RSA certificates are supported.

ECDSA is a signature algorithm. Supporting ECDSA certificates would require some kind of hack to be able to encrypt the master password.

What does it look like?

New key creation

New key creation.

Opening db with SmartCard

Opening the database with a SmartCard.

Opening db with master password

Opening the database with the master password still works!

Where can I get it?

Any feedback is appreciated.

Enjoy! 🙂


Formatting cheat sheet.
The current page url links to a specific comment.
The comment is shown highlighted below in context.

    JavaScript is required to see the comments. Sorry...