Integration with KeePass

If you use KeePass password manager, you may use it as a site manager for WinSCP.

Note, that we recommend to manage your sites directly on WinSCP Login window and use a master password to protect them (read Security Considerations below).


Defining Site

Each KeePass password entry has a URL field, in addition to Password and User name fields. You can use the URL field to store other session data, particularly a hostname and a protocol, optionally also a port number (when using non-standard port). For example: s


Defining URL Overrides

To make the URLs in password entries working, define a URL override rule in KeePass Options.

In KeePass 2.x1 main window go to menu Tools > Options. Go to Integration tab and press URL Overrides button. On URL Overrides window press Add button.

On URL Override window, to Scheme field, enter protocol you want to handle with WinSCP, e.g. sftp or ftp. In URL Override field, enter:


The {T-REPLACE-RX:/{BASE:PORT}/-1//} is a workaround for KeePass resolving the {BASE:PORT} placeholder to -1, when a password entry URL field does not specify the port explicitly and KeePass does not know the protocol (such as sftp) to substitute a standard port.

See KeePass documentation for placeholders.

Repeat override definition for each protocol you want to use with WinSCP (sftp, ftp, ftps, ftpes, scp, http, https). If you want to use WebDAV sessions, but you want to keep http protocol reserved for a web browser, you can use WinSCP-specific protocol winscp-http.

For improvements that allow passing additional parameters to WinSCP, see KeePassURLOverride project.

Opening URL/Site

To open the site defined by KeePass password entry, on the KeePass main window, double-click the entry’s cell in URL column. You can also use Open URL toolbar button, URL > Open context menu command and Ctrl+U keyboard shortcut.

Security Considerations

KeePass URL override rules pass the passwords to WinSCP via command-line. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine.

Alternative solution is to use KeePass to manage host name and username information only and use private key authentication using Pageant, instead of password. To implement this, remove a reference to password from URL Override field (:{PASSWORD}).

For more direct integration with KeePass, see the KeePass plugin KeeAgent.

For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data. For this reason, we recommend you manage your sites on WinSCP Login window and use a strong WinSCP master password to protect them.

  1. See KeePass documentation for instructions for KeePass 1.x.Back

Last modified: by martin