Offline Mode
Share KeePass Passwords with your Team of multiple users
(KeePass & Mobile clients)
Offline Mode allows Pleasant Password Server users to cache passwords locally so that they can access credentials when disconnected from the server.
Offline Cache is machine dependent. Meaning we will not be able to take an offline cache and move it to another machine.
When setting up your offline cache users will specify a Username/Password. When specifying a Username using the Full UPN format this would require specifying the full username format when logging back in again with offline mode.
This feature can be enabled selectively by administrators, and is possible in:
- KeePass for Pleasant
- Mobile
Sections:
- Enable Offline Caching
- Restrict Offline Caching
- Creating an Offline Cache - From KeePass
- Opening KeePass in Offline Mode
- Setting the KeePass Cache Expiry and Clearing the Cache
Important Notes:
- Read-Only: No changes made to credentials or groups are synced back to the server. If a user makes changes to any entries/groups or adds new items, these changes will be lost upon reconnecting to the server.
- Create a Cache in advance! If a user wants to access their credentials offline they will need to create this cache before going offline from the server.
- 2FA Requirements: Policy 2FA requirements will not be applied when opening the Offline Cache.
Enable Offline Caching
First, users will need to have permissions to store their credentials offline. Users will need to be assigned User Access with an Access Level having the permission to "View Entry Offline."
An administrative user can set this up from the Web Application.
View Entry Offline
Offline Syncing is restricted by the “View Entry Offline” permission in the Access Levels. If a user has an Access Level with this permission, the user is able to sync the credential offline. If they do not have access to a credential with this permission, they then will not be able to cache and view the Entry offline.
Audit Log Records
During an offline sync, an Audit Log record is made for each password that is being cached. A password that has been accessed with Offline Mode by a user has been saved on that user's computer.
Restricting Offline Cache
Ensure that unauthorized users, that you wish to restrict from creating offline caches, do not have an Access Level with the permission "View Entry Offline."
Creating an Offline Cache - From KeePass
Next, users will see a “Disconnect/Cache...” button in the KeePass for Pleasant client allowing to disconnect offline.
Caching Passwords
Pressing this button, will cause passwords to be cached locally. The status will show as Working Offline and will allow the user to click a Connect... button.
Included in the Cache
- All passwords that the user has access to, having the View Entry Offline permission
-
Except any passwords with time limited access
Offline Mode
While the user is in offline mode, the user (nor any other registered user), cannot login into the network via the user's KeePass Client, until it is taken back to online mode.
2FA Requirements
2FA Requirements are not applied when authenticating in Offline Mode. So, it is important that other security precautions are in place with this cached file.
Opening KeePass in Offline Mode
Work Offline
A KeePass user will be shown Work Offline option button at the login prompt (v7.7.2+). This only happens if they have credentials permitted for Offline use (see above for details).
No Connection at Login
If no connection to the server is found at login, the application will attempt to use a previous cache.
Server Connection Lost
If connection to the server is lost, KeePass for Pleasant Password Server can also automatically switch to offline mode. In this case KeePass will try to load a previously saved cache.
Attempting to disconnect and cache passwords with no connection to the server will try to use a previously saved cache. If there is no cache available then nothing can be cached and no credentials are available, the user will need to reconnect to the server to view credentials.
Opening a Cache File
A cache file is fully encrypted and can only be opened indirectly, by logging in using a KeePass for Pleasant client.
Cache Password
The master password for the cache can be set by the user, according to the password requirements of the User's Policy. Cached credentials are stored in the KDBX file format which is the encrypted database format for KeePass.
User Password Changes
If the user changes their password then their cache will not open automatically. If they still need access to the cache they can import the file and use their old password as the master password.
Setting the KeePass Cache Expiry and Clearing the Cache
Cache Expiry
(v7.7.1+ KeePass & Server)
By default the cache does not expire. This can be changed in the Client Configuration by setting the Default Rule to Expire Cache After a set number of days.
Clearing The Cache
The cache can be cleared using the “Clear offline cache…” button in the “Password Server” dropdown menu in the KeePass for Pleasant client.