Applications

KeePass User Guide

| Product: KeePass

Overview

This guide provides comprehensive instructions for deploying and using the cloudimg KeePass AMI on Amazon Web Services. The AMI delivers a fully preconfigured Windows Server instance with KeePass 2 installed and ready to use, enabling you to securely manage passwords and sensitive credentials immediately after launch.

KeePass is a free, open source password manager that stores all your passwords in a highly encrypted database. The database is secured by a master password, a key file, or both. KeePass uses AES 256 and ChaCha20 encryption algorithms to protect your data, and supports features such as password generation, auto type, browser integration through plugins, secure clipboard handling, and organized password groups.

This AMI is ideal for individuals and teams who need a centralized, cloud hosted password management solution, system administrators who manage credentials for multiple servers and services, or organizations that require a secure credential vault accessible via remote desktop from anywhere. By hosting KeePass on an AWS instance, you can centralize password management while maintaining full control over where your data is stored.

For any issues encountered while following this guide, please contact support@cloudimg.co.uk.

Prerequisites

Before launching the KeePass AMI, ensure you have the following in place.

AWS Account You need an active AWS account with permissions to launch EC2 instances, manage security groups, and access the AWS Marketplace.

EC2 Key Pair Create or identify an existing EC2 key pair in the region where you plan to launch the instance. This key pair is required to decrypt the Windows Administrator password after launch.

Security Group Prepare a security group that allows inbound RDP access. The required rule is outlined below.

Protocol Type Port Description
RDP TCP 3389 Remote Desktop Access

It is strongly recommended to restrict the source IP range for RDP access to your known IP addresses or corporate CIDR blocks rather than allowing access from 0.0.0.0/0. This is especially critical for an instance that will store password databases.

Remote Desktop Client Install a Remote Desktop Protocol client on your local machine. Options include Microsoft Remote Desktop (available for Windows and macOS), Remmina (Linux), or any other RDP compatible client.

Minimum Instance Requirements

Minimum CPU Minimum RAM Required Disk Space
1 vCPU 1 GB 30 GB

A t3.micro or t3.small instance type is sufficient for KeePass. It is a lightweight desktop application that does not require significant compute resources.

Step by Step Setup

Follow the steps below to launch and connect to your KeePass instance.

Step 1: Launch the Instance

  1. Log in to your AWS account and navigate to the AWS Marketplace.
  2. Search for the cloudimg KeePass AMI.
  3. Select your desired instance type (t3.small is recommended).
  4. Choose your preferred region and VPC configuration.
  5. Select the EC2 key pair you created in the prerequisites.
  6. Assign the security group with RDP access on port 3389.
  7. Configure storage (30 GB minimum on the root volume).
  8. Launch the instance.

Step 2: Wait for Status Checks

After launching the instance, navigate to the EC2 console and wait for the instance to show 2/2 status checks passing. This ensures the instance has fully booted and Windows has completed its initial setup. This process typically takes between 3 and 10 minutes.

Step 3: Retrieve the Administrator Password

  1. Open the EC2 console in the AWS region where you launched the instance.
  2. Select Instances from the left navigation panel.
  3. Locate and select your newly launched instance.
  4. Click Actions at the top of the page.
  5. Navigate to Security and then select Get Windows password.
  6. Click Browse and upload the private key file (.pem) from the key pair you selected during launch.
  7. Click Decrypt password.
  8. Copy the decrypted password and store it securely. This is your Administrator password.

Step 4: Connect via Remote Desktop

  1. Open your Remote Desktop client application.
  2. Create a new connection using the public IP address of your EC2 instance (or the private IP if connecting through a VPN or from within the same VPC).
  3. Enter the following credentials when prompted:
  4. Username: Administrator
  5. Password: The decrypted value from Step 3
  6. If a certificate warning appears, click Continue to proceed. This is expected for new connections.
  7. You will be connected to the Windows Server desktop.

Step 5: Launch KeePass

Once connected to the desktop, locate the KeePass 2 shortcut icon on the desktop and double click it to launch the application. KeePass is preinstalled and ready for use immediately.

Server Components

The following software components are preinstalled on this AMI.

Component Version
KeePass 2 Latest

The AMI is built on Windows Server and includes the base operating system along with KeePass 2 preinstalled and configured. KeePass 2 is the .NET based version of KeePass and offers a rich feature set including plugin support, auto type, and advanced encryption options.

Filesystem Layout

The instance uses a single volume configuration.

Drive Purpose Minimum Size
C:\ Operating system and application 30 GB

Key directory locations on the instance:

Path Description
C:\Program Files (x86)\KeePass Password Safe 2\ KeePass installation directory
C:\Users\Administrator\Desktop\ Desktop with KeePass shortcut
C:\Users\Administrator\Documents\ Recommended location for database files
C:\Users\Administrator\AppData\Roaming\KeePass\ User configuration and plugin directory

KeePass database files (.kdbx) are very small, typically under 1 MB even with hundreds of entries. The 30 GB volume provides ample space for the operating system, application, and your password databases.

Managing the Application

Creating a New Password Database

  1. Launch KeePass from the desktop shortcut.
  2. Navigate to File then New to create a new password database.
  3. Choose a location to save your database file (the Documents folder is recommended).
  4. Enter a name for your database file (for example, MyPasswords.kdbx).
  5. Set a strong master password. This password will be required every time you open the database.
  6. Optionally, you can also create a key file for additional security. A key file adds a second factor of authentication that must be present alongside the master password.
  7. Click OK to create the database.

Adding Password Entries

  1. Open your password database and unlock it with your master password.
  2. Right click in the entries area and select Add Entry, or press Ctrl+I.
  3. Fill in the title, username, password, and URL fields.
  4. Use the Generate a password button (the key icon) to create a strong, random password.
  5. Add any notes or additional fields as needed.
  6. Click OK to save the entry.
  7. Save the database by pressing Ctrl+S or navigating to File then Save.

Organizing Entries into Groups

KeePass supports organizing password entries into hierarchical groups:

  1. Right click on the root group or any existing group in the left panel.
  2. Select Add Group to create a new category.
  3. Name the group (for example, Web Logins, Servers, Email Accounts).
  4. Drag and drop entries between groups to organize them.

Using the Password Generator

KeePass includes a powerful password generator:

  1. Navigate to Tools then Generate Password from the menu bar.
  2. Configure the character set, length, and pattern for generated passwords.
  3. You can include uppercase letters, lowercase letters, digits, special characters, and more.
  4. Click Generate to create passwords, then copy them to the clipboard.

Searching for Entries

Use the search bar at the top of the KeePass window to quickly find entries across all groups. You can search by title, username, URL, notes, or any other field.

Auto Type

KeePass can automatically type usernames and passwords into application windows:

  1. Open the target application or website login page.
  2. Switch to KeePass and select the relevant entry.
  3. Press Ctrl+V or right click and select Perform Auto Type.
  4. KeePass will switch to the target window and type the credentials automatically.

Copying Credentials to Clipboard

Double click on the username or password column in an entry to copy it to the clipboard. By default, KeePass clears the clipboard after 12 seconds for security.

Importing Entries from Other Password Managers

KeePass can import password databases from many other formats:

  1. Navigate to File then Import.
  2. Select the source format (CSV, XML, 1Password, LastPass, and many others).
  3. Browse to the export file from your previous password manager.
  4. Review the imported entries and save the database.

Scripts and Logs

KeePass Configuration Files

KeePass stores configuration files in the following locations:

File Location Description
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.config.xml Global configuration
C:\Users\Administrator\AppData\Roaming\KeePass\KeePass.config.xml User specific configuration

Database Backup Files

KeePass can be configured to create automatic backups of your database. Enable this feature through Tools then Options then Advanced and configure the backup settings.

Windows Event Logs

For system level diagnostics, use the Windows Event Viewer. Press the Windows key, search for Event Viewer, and open it to review application and system logs.

Troubleshooting

Cannot connect via RDP

  • Verify that the instance has passed 2/2 status checks in the EC2 console.
  • Confirm that your security group allows inbound TCP traffic on port 3389 from your IP address.
  • Ensure you are using the correct public IP address. If the instance was stopped and started, the public IP may have changed unless you are using an Elastic IP.
  • Check that your local firewall or corporate network is not blocking outbound RDP connections.

Password decryption fails

  • Ensure you are uploading the correct .pem file that matches the key pair selected during instance launch.
  • The password may take up to 15 minutes to become available after the first launch. Wait and try again if the option is greyed out.

Cannot open the KeePass database

  • Verify you are entering the correct master password. KeePass master passwords are case sensitive.
  • If you configured a key file, ensure the key file is accessible at the expected location.
  • Check that the .kdbx file is not corrupted. If you have a backup copy, try opening that instead.

KeePass does not open or crashes

  • Try launching KeePass again from the desktop shortcut.
  • Check the Windows Event Viewer for application errors.
  • Verify that the C: drive has sufficient free space.
  • Ensure the .NET Framework is installed and functioning correctly (it is preinstalled on this AMI).

Forgot the master password

  • KeePass encryption is designed to be unbreakable without the master password. There is no recovery mechanism built into the application.
  • If you used a key file, you still need the master password to open the database.
  • This is why it is critical to store your master password in a separate, secure location and to maintain regular backups.

Auto type does not work correctly

  • Ensure the target window title matches the entry's URL or title field in KeePass.
  • Some applications may require custom auto type sequences. Edit the entry and configure the auto type sequence under the Auto Type tab.
  • Try increasing the auto type delay in KeePass options if characters are being missed.

RDP session disconnects frequently

  • Check your network connection stability.
  • Adjust the RDP client settings to reduce bandwidth requirements by lowering the display quality or disabling visual effects.
  • Ensure the instance is not running out of memory, which could cause Windows to become unresponsive.

Security Recommendations

Change the Administrator Password

After your first login, change the default Administrator password to a strong, unique password. Open the Windows command prompt or PowerShell and run:

net user Administrator YourNewStrongPassword

Note that once you change the password, the original decrypted password from the AWS console will no longer be valid.

Restrict RDP Access Strictly

Limit the security group rule for port 3389 to only your specific IP addresses or a trusted CIDR range. An instance hosting a password database must have the strictest possible network access controls. Never use 0.0.0.0/0 for a KeePass instance.

Use a Strong Master Password

Choose a master password that is long (20 characters or more), unique, and not used anywhere else. Consider using a passphrase composed of multiple random words for both strength and memorability.

Use a Key File for Two Factor Protection

Configure KeePass to require both a master password and a key file to open the database. Store the key file separately from the database, such as on an encrypted USB drive or in a separate S3 bucket. This way, even if someone gains access to the instance, they cannot open the database without the key file.

Enable Volume Encryption

Use EBS encryption on the instance volume to protect the password database at rest. If creating a new instance, select an encrypted volume during launch. For existing volumes, create an encrypted snapshot and restore from it.

Back Up the Database Regularly

  • Copy the .kdbx database file to Amazon S3 regularly using the AWS CLI or a file transfer tool. Use server side encryption on the S3 bucket.
  • Create EBS snapshots of the instance volume on a regular schedule using Amazon Data Lifecycle Manager.
  • Store database backups in a different AWS region for disaster recovery.
  • Never store the master password or key file in the same location as the database backup.

Enable Windows Firewall Rules

Review and configure the Windows Firewall to restrict all inbound and outbound traffic to only what is necessary.

Keep Software Updated

Regularly update KeePass and Windows Server to ensure you have the latest security patches and bug fixes. Check for KeePass updates via Help then Check for Updates in the KeePass menu.

Use an Elastic IP

Assign an Elastic IP to your instance to maintain a consistent IP address across stop and start cycles. This allows you to maintain consistent security group rules.

Enable CloudWatch Monitoring

Configure Amazon CloudWatch to monitor your instance metrics. Set up alarms to notify you if the instance is unexpectedly stopped or if unusual activity is detected.

Audit Access with CloudTrail

Enable AWS CloudTrail to log all API activity related to your EC2 instance. This provides an audit trail showing who accessed or modified the instance and when, which is critical for a security sensitive workload like password management.

Lock the Database on Inactivity

Configure KeePass to automatically lock the database after a period of inactivity. Navigate to Tools then Options then Security and enable the auto lock settings. This protects the database if you step away from your RDP session.

Support

If you encounter any issues not covered in this guide, the cloudimg support team is available to help.

  • Email: support@cloudimg.co.uk
  • Phone: (+44) 02045382725
  • Website: www.cloudimg.co.uk
  • Address: 3rd Floor, 86 90 Paul Street, London, EC2A 4NE

Support is available for any issues related to the AMI, including connectivity problems, software configuration, and general guidance on using the preconfigured environment.

When contacting support, please include your EC2 instance ID, the AWS region, and a description of the issue along with any relevant error messages or screenshots. Never share your KeePass master password or database file with support personnel.