How to setup a KeePass master DB and export to secondary DBs for user control.
KeePass is an excellent open-source passwords DB, with lots of plugins, forks and functionalities. However, one thing that it lacks is the user/password support, therefore we cannot have a master DB with all the user/passwords and give permissions to read/write to different users o departments, or can we?
Well, there are two ways about this, one is to purchase an enterprise flavour of KeePass-compatible software like LastPass, Keeper, Pleasant, enpass, 1password, etc. just do a little of research, maybe signup a trial of each, and then decide which one might fit better to your organization or use case; and the second way is to do the poor-man’s hack: use the KeePassSubsetExport plugin, which is enough for home and small and medium-sized enterprises (SMEs) setups.
This setup works surprisingly well, basically what we have is a master keepass DB with all the entries, then, depending of the tags on each entry, KeePassSubsetExport handles the creation of a different keepass db using this tags and a couple of settings of its own. This keepass exports are great, because they can get created in different locations, with different names and different db passwords, so we can have different keepass dbs for development, systems, networking, devops, management, you’ll name it.
I am going to explain how to do this setup step-by-step with a new keepass db that I am going to create for this task.
Step 1.- Lets install KeePass for windows (sorry about this, but the original keepass is the only one that I know of that has keepass plugin support).
Once installed, we will create a new database called RootDatabase an we will save it under a new folder in My Documents called KDB.
As we can see on the screenshot, KeePass creates a default sample folder structure, with a couple of sample entries, to help us out using KeePass for the first time.
From the windows explorer, we will also create a couple of folders called DEV & DOP under Documents/KDB.
Step 2.- Lets install KeePassSubsetExport plugin in our keepass.
Go to the KeePassSubsetExport project page: https://github.com/lukeIam/KeePassSubsetExport/releases
and download the KeePassSubsetExport.plgx file from the latest release listed.
Once downloaded, move it to your KeePass/plugins folder (typically C:\Program Files (x86)\KeePass Password Safe 2\Plugins)
Step 3.- KeePass loads its plugins at startup, therefore we need to close and reopen KeePass in order to use the new plugin.
Step 4.-Lets fill in a few entries in KeePass, and add some TAGs to them.
We can copy the 2 samples on the root folder easily by doing Ctrl-k with both of them selected and it will duplicate them adding “– copy” at the end of each entry, move this entries to the windows folder, and rename the ”– copy” for “– DEV” (double click on each entry lets you edit it).
Now we will add a tag to this 2 entries on the windows folder, select them both, right click them, Edit Entry (Quick) > Add Tag > New Tag > DEV.
Now we can repeat the previous step again, but this second round we will change the “– copy” to “– DOP”, and move the 2 new entries to the internet folder. Then we will add the tag DOP, which will have to be created as before (Edit Entry (Quick) > Add Tag > New Tag > DOP).
Step 5.- We’ll configure the plugin, so every time that we save the keepass DB, 2 additional DBs will be created, one for development (tag: DEV) and another one for DevOps (tag: DOP). So far we have 6 entries, 2 without tags, 2 with DEV tag and 2 with DOP tag, so when we save, the original keepass will have all 6 entries, then the DEV keepass will have 2 and the DOP keepass will have another 2 entries.
To enable this behaviour, all that we need to do is to create a folder called: SubsetExportSettings, and inside that folder, we will create 2 entries: SubsetExportDEV & SubsetExportDOP. Let’s go step by step:
To create a folder in KeePass, select the root folder, right click and select Add New Group > SubsetExportSettings:
Once we have the group, we select it and on the right panel, add a new entry (Ctrl+i) and we will enter: SubsetExportDEV, and under the password field, we will entry the password that we want this keepass db export to be opened with (KeePass master password), in the example it will be Developer5.
Now you can press OK, and Add a new string field: SubsetExport_TargetFilePath, and on the value field, we will enter the path of the DEV kdb that we want to save to, in my example, it will be C:\Users\cijalba\Documents\KDB\DEV\kdb-DEV.kdbx
Press OK, and you now will have the 2 string field entries that control the KeePassSubsetExport plugin.
OK, so we have the SubsetExportDEV entry created, now we select it, right click Duplicate Entry (Ctrl+k), and rename it to SubsetExportDOP, and we will change all the settings accordingly: SubsetExport_Tag DEV value changed to DOP, and SubsetExport_TargetFilePath to C:\Users\cijalba\Documents\KDB\DOP\kdb-DOP.kdbx.
That’s it, we have it all setup now!
Step 6.- Save the keepass DB and check that the other DBs have been correctly created in the specified locations, with their appropriate passwords, and that we can only see the entries tagged as we wanted (note that empty groups do not get exported, therefore DEV will only have the Windows group and DOP will only have the Internet group).
As we can have more than one keepass DB open at the same time, I suggest that we open our 3 kdbs and compare them.
One tip that I use to check different kdbs, is to go to the keepass search field and press enter, and that will show all the entries of the DB on the right pane, but most importantly it will show the total number of entries of the opened db on the status bar at the bottom, as we can see on this screenshot:
Now change tabs to the other keepass db’s, Search box > enter and compare the result over the 3 different keepass dbs.
Final Notes.- To use this setup in a networked environment, we can setup the file paths of the exports using URNs, therefore we can export directly to a path like \\nas-box01\dev\dev.kdbx, so we can use additional protection to each db by using folder & file user permissions, apart from the KeePass master password, that way a user will need to have access to the folder first, to the keepass db file second, and to the keepass db password on third instance, which is quite secure (if additional security is needed, then a keepass key file can be added to the equation -look at the keepass documentation-).
Sysadmin's Shouts! 
Is there a way to add a new entry only in the root such that it will be distributed to the associated children automatically?
Adding an entry on root with all the children tags will copy that entry to each associated children…
If you want to automate it, you can use the CLI:
https://keepass.info/help/v2_dev/scr_sc_index.html
The only thing is that you will probably need 2 commands, one to create the entry and another one to add the tags, as looks like adding tags on AddEntry is not supported yet undr KPScript:
KPScript -c:AddEntry “C:\KeePass\MyDb.kdbx” -pw:MyPw -Title:”AUTO_ENTRY” -GroupName:”AUTO_GROUP”
KPScript -c:EditEntry “C:\KeePass\MyDb.kdbx” -pw:MyPw -ref-Title:”AUTO_ENTRY” -refx-Tags:”CHILDREN1″