0

I have a python bot that runs in Windows 10 and accesses Keepass with a password. I'm wondering what would be the correct way to store and access this Keepass password.

Currently, the Keepass password is encrypted and decrypted with a key. However the key is available to the python bot and therefore to anyone.

Am I missing something?

schroeder
  • 123,438
  • 55
  • 284
  • 319
AturSams
  • 195
  • 1
  • 8
  • Define "everyone"? What are the threats here? – schroeder Nov 07 '20 at 18:50
  • @schroeder Thanks. Specifically, it sounds instinctively unwise to store the Keepass password in plain text but it's not completely clear to me what protection is gained by encrypting it and then decrypting it with key during the script. Also, I am not sure what additional steps could improve security. – AturSams Nov 07 '20 at 19:20
  • Q: what function, utility or library does your bot use access the keepass database? why does it use keepass, and not some other mechanism to secure the credentials? – brynk Nov 09 '20 at 02:07

1 Answers1

1

On Windows, you have the option of using the Data Protection API (DPAPI) either:

  1. Natively in KeePass (getting rid of the password altogether)
  2. In your script (retreiving the password)

1. Natively

Make your KeePass database use "Windows User Account" encryption. It uses DPAPI behind the scenes to encrypt your master database key. It's all automagic as long as the account exists. It is hard to recover if the account is destroyed.

KeepPass "Windows User Account" option

2. In your script

You can write Python code to save and later retreive the password using DPAPI. YMMV but this StackOverflow question offers a few alternatives.

ixe013
  • 1,912
  • 15
  • 20