Less clicks, more security.
The plugin for KeePass 2.x uses Trezor's security design to encrypt the password database. The decryption key can only be read from the Trezor by physically pressing the confirmation button on the Trezor device.
It supports Trezor One, Model M and the new Safe 3 on Windows and Linux.
- KeePass database securely encrypted with your personal TREZOR device.
- A simple click on your Trezor button to unlock your password manager.
- Use a 24 words recovery seed to regain access to your passwords.
- Can be used with or without master password.
- Copy KeePass2Trezor.dll from the latest release to the Plugin folder of the KeePass 2.x.
- Create a new database, selecting Trezor Key Provider in the Key file/provider field.
- Follow instructions, unlock Trezor if necessary and confirm decryption of the key by clicking button on the device.
Although the plugin works on Linux, it requires several steps:
-
Configure udev rules:
- Follow the udev rules configuration guide to establish communication with Trezor devices.
-
Install
mono-develop
package:- Ensure that the
mono-develop
package is installed, as the plugin relies on netstandard2.0, which is included with it.
- Ensure that the
-
Check
libusb-1.0
installation:- Verify the installation of
libusb-1.0-0
. If KeePass2Trezor still hangs with the message "Connect your Trezor device" even with libusb installed, consider either creating a symlink according to this instruction or installlibusb-1.0-dev
package to address the issue.
- Verify the installation of
-
Disconnect and reconnect the device:
- After completing the configuration steps, disconnect and then reconnect your Trezor device to ensure the changes take effect.
- KeePass 2.35 or newer
- .NET Framework 4.6.2 or higher
- libusb-1.0 for Linux
โ If your device is lost or broken, you will need to purchase a new Trezor or build a PiTrezor and initialize it using the saved seed phrase to regain access to the KeePass database.
โ Exporting the database in any format except kdbx will cause loss of the Key Id and therefore decryption of these containers will not be possible. This is because these containers do not support public custom data (unencrypted) where the Key ID is stored.
KeePass2Trezor is a key provider plugin for the KeePass 2.x password manager. It uses much the same approach to derive master key as Trezor Password Manager described in the SLIP-0016 document.
๐ฑ Any feedback and contribution is much appreciated!