Configuration Details about how and where KeePass stores its configuration.

• General
• Installation by Administrator, Usage by User
• Portable Version
• Create Portable Version of Installed KeePass
• For Network Administrators: Enforced Configuration
• Enabling Enforcement-Requiring Items Again (2.x)
• Technical Details

General

KeePass supports multiple locations for storing configuration information: the global configuration file in the KeePass application directory, a local user-dependent one in the user's private configuration folder, and an enforced configuration file in the KeePass application directory. The first one is called global, because everyone using this KeePass installation will write to the same configuration file (and possibly overwriting settings of other users). The second one is called local, because changes made to this configuration file only affect the current user.

On Linux systems, the local configuration file is typically stored in '$XDG_CONFIG_HOME/KeePass' (which often is '~/.config/KeePass', where '~' is the user's home directory).

Installation by Administrator, Usage by User

If you use the KeePass installer and install the program with administrator rights, the program directory will be write-protected when working as a normal/limited user. KeePass will use local configuration files, i.e. save and load the configuration from a file in your user directory.

Multiple users can use the locally installed KeePass. Configuration settings will not be shared and can be configured individually by each user.

Portable Version

If you downloaded the portable version of KeePass (ZIP package), KeePass will try to store its configuration in the application directory. No configuration settings will be stored in the user directory (if the global configuration file is writable).

Create Portable Version of Installed KeePass

If you are currently using a locally installed version of KeePass (installed by the KeePass installer) and want to create a portable version of it, first copy all files of KeePass to the portable device. Then get the configuration file from your user directory (application data, see above) and copy it over the configuration file on the portable device.

For Network Administrators: Enforced Configuration

Settings in an enforced configuration file take precedence over settings in global and local configuration files.

This feature is intended primarily for network administrators who want to enforce certain settings for users of a shared KeePass installation.

For details, please see the Enforced Configuration help page.

Enabling Enforcement-Requiring Items Again (2.x)

Certain feature items are saved to the enforced configuration file. Under certain circumstances, there may be such items in the regular configuration file only (e.g. when you copy the regular configuration file to a new PC, but not the enforced one). If you want to continue using the items, you have to enable them again. This may require administrator permission; KeePass shows a User Account Control dialog, if necessary.

If you are using an installed KeePass version (setup EXE or MSI) and one or more of the following features, please note:

• Triggers:
  If your triggers are not stored in the enforced configuration file, KeePass disables the trigger system. If you want to continue using your triggers, open the 'Triggers' dialog (via the main menu item 'Tools' → 'Triggers'), activate the 'Enable trigger system' option, check all triggers (with regard to security, privacy, functionality, compatibility, etc.) and click the 'OK' button.
• Global URL overrides:
  If your global URL overrides are not stored in the enforced configuration file, KeePass disables them (individually; therefore, it is recommended that you remember the overrides that you have enabled, e.g. by taking a screenshot). If you want to continue using your overrides, open the 'URL Overrides' dialog (via the main menu item 'Tools' → 'Options' → tab 'Integration' → button 'URL Overrides'), check all desired overrides (with regard to security, privacy, functionality, compatibility, etc.), enable them and click the 'OK' button.
• Password generator profiles:
  If your password generator profiles are not stored in the enforced configuration file, KeePass disables them. If you want to continue using your profiles, open the 'Password Generator' dialog (via the main menu item 'Tools' → 'Generate Password'), click the shield button (top right) and check all profiles (with regard to security, privacy, functionality, compatibility, etc.).

If you are using the portable ZIP package, KeePass tries to migrate triggers, URL overrides and password generator profiles automatically.

Technical Details

This section explains in detail how loading and saving the configuration works.

When KeePass starts up and finds both global and local configuration files, it must decide the order in which KeePass tries to get the configuration items. This is controlled by the (Kee)PreferUserConfiguration flag in the global configuration file. If it is not present, it defaults to false.

The flag is set to true in the global configuration file of the KeePass installer package. The portable ZIP package does not contain a configuration file, consequently the flag defaults to false.

• Try to get the configuration item from the enforced configuration file. If found, use this one.
• If the PreferUserConfiguration flag is true, use the item from the local configuration file, otherwise use the item from the global one. If the chosen configuration file does not contain the item, use the default value.

• If the PreferUserConfiguration flag is true, try to store all configuration items into the local configuration file. If this fails, report the error and try to store them into the global configuration file. If this fails, report the error.
• If the PreferUserConfiguration flag is false, try to store all configuration items into the global configuration file. If this fails, report the error and try to store them into the local configuration file. If this fails, report the error.