This is an old revision of the document!

Integration with KeePass

If you use KeePass password manager, you may use it as a site manager for WinSCP.

Note, that we recommend to manage your sites directly on WinSCP Login window and use a master password to protect them (read Security Considerations below).

Advertisement

Defining Site

Each KeePass password entry has a URL field, in addition to Password and User name fields. You can use the URL field to store other session data, particularly a hostname and a protocol, optionally also a port number (when using non-standard port). For example: sftp://example.com/.

Defining URL Overrides

To make the URLs in password entries working, define a URL override rule in KeePass Options.

Advertisement

In KeePass 2.x1 main window go to menu Tools > Options. Go to Integration tab and press URL Overrides button. On URL Overrides window press Add button.

On URL Override window, to Scheme field, enter protocol you want to handle with WinSCP, e.g. sftp or ftp. In URL Override field, enter:

cmd://"%PROGRAMFILES(x86)%\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}:{PASSWORD}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//}

On 32-bit systems, replace %PROGRAMFILES(x86)% with %PROGRAMFILES%.

The {T-REPLACE-RX:/{BASE:PORT}/-1//} is a workaround for KeePass resolving the {BASE:PORT} placeholder to -1, when a password entry URL field does not specify the port explicitly and KeePass does not know the protocol (such as sftp) to substitute a standard port.

See KeePass documentation for placeholders.

Repeat override definition for each protocol you want to use with WinSCP (sftp, ftp, ftps, scp, http, https). If you want to use WebDAV sessions, but you want to keep http protocol reserved for a web browser, you can use custom scheme for the protocol, e.g. webdav. Then, in the URL Override field, you need to explicitly use http, instead of referring by {BASE:SCM} to the protocol from the password entry URL field.

Opening URL/Site

To open the site defined by KeePass password entry, on the KeePass main window, double-click the entry’s cell in URL column. You can also use Open URL toolbar button, URL > Open context menu command and Ctrl+U keyboard shortcut.

Security Considerations

KeePass URL override rules pass the passwords to WinSCP via command-line. Command-line used to run any process is not secured in memory, thus it may be read by malicious processes on your machine.

One solution that may provide more security is to configure WinSCP to query an SSH authentication agent, like Pageant, for the private key. This would allow not having cmd.exe handle your private key in cleartext. To implement this, the URL Override field would not include :{PASSWORD}:

cmd://"%PROGRAMFILES(x86)%\WinSCP\WinSCP.exe" {BASE:SCM}://{USERNAME}@{BASE:HOST}:{T-REPLACE-RX:/{BASE:PORT}/-1//}

For more direct integration with KeePass, see the KeePass plugin KeeAgent.

Note however that private keys are decrypted and held in memory for use by the SSH authentication agent, so this may be less secure if keys are kept in memory for long periods of time. It would be recommended to have the key-store managed by an SSH authentication agent to lock after an idle period. For more details about the security of using an SSH authentication agent, see Chapter 9 of the PuTTY documentation.

For best security, it is good practice to limit how many processes you trust to securely handle your sensitive data. For this reason, we recommend you manage your sites on WinSCP Login window and use a strong WinSCP master password to protect them.

Advertisement

  1. See KeePass documentation for instructions for KeePass 1.xBack

Last modified: by adam