keepassxc
keepassxc copied to clipboard
keepassxreboot
Add view menu option to allow screenshots for temporary period of time
Overview
KeePass 2.7.0 main window is invisible in a remote session with TeamViewer or AnyDesk --> problem with new feature "Prevent screen capture"?
Steps to Reproduce
- Connect to your remote pc with TeamViewer or AnyDesk
- Open KeePassXC on the remote machine
- The program opens in tray, but the window is not visible. On screen of the remote machine, the window is visible normally, but not in remote software window.
Expected Behavior
The program should be usable with a remote software like TeamViewer or AnyDesk. Optionally, if this conflicts with the screen capture prevention feature, it should be possible to disable this feature.
Actual Behavior
The main window keeps invisible.
KeePassXC - Version 2.7.0 Revision: d7a9ef4
Operating System: Windows 10 and 11
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_screenshot_security
Is there a chance of making this a configurable checkbox in the settings? I'm unsure of how to pass the flag to the automated start-up of KeePassXC, and I really do need to disable this all the time as I am using Windows in a VM and it is always considered "screen capture", so it's impossible for me to use KeePassXC now.
Is there a chance of making this a configurable checkbox in the settings? I'm unsure of how to pass the flag to the automated start-up of KeePassXC, and I really do need to disable this all the time as I am using Windows in a VM and it is always considered "screen capture", so it's impossible for me to use KeePassXC now.
+1
We specifically did not make this a configuration option because you can "forget" it is allowed and spill information. You can easily add the command line parameter to the auto-start definition in the registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run look for the KeePassXC entry
Most other "dangerous" settings (like running a beta version) tend to create banners at the top of the window, so a "Screenshots are enabled!" banner could probably fix the "you forgot to turn screenshot protection back on" problem
A "Screenshots are enabled!" banner is exactly what you don't want if you intend to make screenshots of KeePassXC.
A "Screenshots are enabled!" banner is exactly what you don't want if you intend to make screenshots of KeePassXC.
Unless you can close it. Then the banner reminds, user closes it and continues as usual. I'd also argue that it's far easier to forget a modified registry entry or modified shortcut than a setting. The setting is more visible (though not by much).
I think users who have the need to disable screenshot protection can also be trusted to be knowledgeable enough to disable it again if they don't need it anymore.
@droidmonkey If you're worried about it being forgotten, then have a timer since it's probably temporary anyways?
Pulling control out of the user's hands isn't exactly a great option here, and guaranteed the registry key will be much more easily forgotten than a checkbox as googlers end up here.
Security at the cost of convenience comes at the cost of security and all
I just want to take a one-off screenshot -_-
Pulling control out of the user's hands isn't exactly a great option here, and guaranteed the registry key will be much more easily forgotten than a checkbox as googlers end up here.
You have full control with the command line flag. Actually happy we didn't just have a config option because those using remote desktop and such would have to edit the ini config file to set the option.
If you want to take screenshots just make a shortcut that has the command line flag and open keepassxc using that shortcut.
Is it possible to change this setting at runtime of the app? In that case a "hotkey" might be a good compromise. I have other software which toggles the screen capture by hitting "print screen" with a dialog if the app should allow screen capture and shift-print-screen disables it again.
Also helps a lot when trying to help someone via TeamViewer if I can just tell them to hit print screen...
Yikes. That is precisely what we are trying to prevent with this. Remote support inadvertently or purposefully exposing the secrets of the end user through remote desktop or screensharing software. If your users are conditioned to let you see their password database then they won't hesitate to do so when social engineered.
Tell them to read the user guide for assistance. If it's not clear, tell us so we can make edits.
Well users in that case are my parents and grand parents which I'm trying to get away from birthdays and six letter passwords for dozens of websites. So no, telling them to RTFM won't help here.
I'm reading this discussion right now and am puzzled by the reasoning. For example I have the problem that until now I have not been able to start KeePassXC on the Mac with the --allow-screencapture parameter. Maybe I'm just too stupid. If yes, please help. I also help many users via Teamviewer and it was me who informed the users about the meaning of good passwords and password managers. Still, many find it difficult to deal with. That hasn't been a problem so far because I was always able to help. I support the users with it whenever they have a problem. Unfortunately, this is no longer possible. I personally think that everyone should decide for themselves whether or not to allow screencapturing. And I can't understand the argument that the users I help and you let me into your password manager don't bother about their passwords or become careless, exactly the opposite is the case. If there is no option to bypass or switch off this lock on the Mac in the foreseeable future, even if only temporarily and / and with a clear warning, then the program will no longer be useful for me and many of my supervised users. If there is this option on the Mac, I would be grateful for a hint how I can implement it without forcing the unsuspecting user to start the program with parameters that don't seem to work via the shell. Please reconsider adding it as an option. It would be a pity if users had to save their access data in their browser again in the future due to the lack of an alternative. I'm curious if you can offer a solution.
Again I reiterate that if our documentation is not sufficient then let us know. Until we make a change to allow this from the view menu, you'll have to have them start with the command line switch.
I think that most people should be able to sufficiently do it if they follow a few easy, simple steps. (The following is aimed primarily at Windows users, but similar functionality should be applicable across all OSs, even if the methodology is different).
- Make a copy of the existing shortcut.
- Rename the new shortcut to name of choice, indicating SS enabled.
- Edit the path / target to include the argument.
Et voila - 2 shortcuts, one for no SS mode and one for SS mode.
Even better if you manage enterprise systems you can push the screenshot enabled shortcut via GPO.
I do understand the security considerations but NOT revealing some options through the UI seems to be a bad design decision, making life hard for people who need it. Another suggestion: In the options "for Brower integration" there is a separate tab "Advanced" hiding the dangerous options, there is even a warning banner permanantly shown. How about a tab "expert/dangerous options" with permanent warning banner, that should enable a good compromise.
Just a note to say thank you for this thread - I hadn't thought to look in HKEY_CURRENT_USER and was running in circles trying to find the KeePassXC entry in 'Run' (I kept looking in HKEY_LOCAL_MACHINE ¯\_(ツ)_/¯)
The KeePassXC documentation IS very complete. I don't know if it there might be unintended consequences, but having the registry path shared there, but it might be helpful to do so.
In any case, thank you for your time here.
Hello all. When adding the flag and trying to run from command line, I am getting an error: Unknown option 'allow-screenshare'. Do I have the flag wrong? I am on Windows and following instructions that go like this:
"Create a desktop shortcut for KeePassXC.exe, and open its Properties window. Add the following argument at the end of the Target field, --allow-screencapture. Hit OK, and the program will let you capture screenshots of the interface."
The command not recognized.
Any ideas?
The flag should be outside the program path - which itself should be in quotes:
"C:\installpathtoexecuteable\KeePassXC.exe" --allow-screencapture
Thanks so much for responding. This doesn't seem to solve my problem. Here is what I have in the Target field of the shortcut: "C:\Program Files\KeePassXC\KeePassXC.exe" --allow-screencapture (This is a correct path for sure)
Error when trying to run the app by double clicking on the shortcut is: Unknown option --allow-screencapture.
When I remove the flag, the application runs from that short cut. Any other suggestions? Thanks again for your help,
So, it finally worked out. I just had to update to the last version of KeePassXC and follow the instruction that fathermaurer provided. Thank you for your help fathermaurer.
@fathermaurer: I recommend the software Autoruns, which lists autostart apps froms every possible location.
Again I reiterate that if our documentation is not sufficient then let us know. Until we make a change to allow this from the view menu, you'll have to have them start with the command line switch.
The documentation is not sufficient. I struggled for ages trying to figure out how to do it for a bug report and ultimately failed since none of the instructions are applicable for a Mac. When the only available documentation tells you to run "keepassxc.exe" in the command line you're already off to a bad start.
I have exactly the same problem. I still haven't been able to figure out how to launch the program with screenshots allowed on Mac. Please give us exact instructions on how to pass the parameter on the Mac. It would be helpful if it would work via an alias or something similar. The aim is still to give the users I look after an easy way to start the program with or without screencapture allowed so that I can help them remotely
On macOS, first quit any open copies of KeePassXC, then in a terminal window type:
open -a keepassxc --args --allow-screencapture
Today I discovered that if you have KeepassXC running in a RDP session, resizing the RDP-Window on the host and than take a screenshot on the host, makes screenshots from opened Keepass window possible. Even if keyboard and clipboard are shared with the RDP session. Keepass is unable to detect that.
We won't make this a configuration option, since it kind of defeats the purpose. We might install a secondary launcher by default, but generally, this is an expert option.
Actually I was thinking of making a "Allow screenshots for 5 minutes" or something in the view menu so people can screenshot their database for bug reports.