Clone wiki

KeeOtp / Home


This is a plugin for the password management program KeePass. It adds the ability to generate timed one time passwords from a secret key that is stored in the KeePass database.

This plugin is released under an MIT License which is compatible with the GNU GPL GNU Compatible License List (referred to as Expat in the GNU GPL compatibility list) that KeePass is released under.

It is based largely on a library called OTP-Sharp which does all the heavy lifting in calculating one time passwords. OtpSharp is also released under an MIT License.

Release Notes




Every effort has gone into ensuring that KeeOtp generates correct TOTP codes and that KeeOtp is bug free and will preserve your secret key.

Nevertheless it is up to you to Ensure that all measures are taken to safeguard your key.

Most systems that rely on TOTP are very hard to unlock if you lose your secret key. In the case of Google 2-step verification you should ensure that you have backup options (SMS, printed list of one time codes) in the unlikely event that KeeOtp fails to preserve your key. Dropbox provides an unlock code that disables this feature. These measures are your responsibility.

Other systems may have different options and it is your responsibility to preserve whatever data may be needed if KeeOtp should fail. This may be in another entry in KeePass or another hardened store of some kind.


If you encounter any bugs or want to see a feature added, feel free to open a ticket under the issues tab. Please search to see if it already exists first. If so, you can add a comment instead.


See the main Troubleshooting page.


This plugin supports the TOTP standard and should work with any service that is compliant with RFC 6238 and uses SHA1 as the HMAC hashing algorithm. SHA-256 and SHA-512 are not currently supported but likely will be in the near future. It supports any specified time step and will generate 6 or 8 digit codes.

Warning. Only change the time step if the service that you are using this with tells you to. It won't work if your time step is different from theirs.

The key must be provided in base32. If the service doesn't provide the shared secret key in base32 (most do) then it must be converted first.

This plugin supports generating one time passwords for

  • Google 2 Step Verification
  • Amazon Web Services Multi Factor Authentication
  • Dropbox two-step verification
  • Facebook
  • Any standard TOTP (Timed One Time Password) implementation that uses SHA1 as the HMAC hashing algorithm (the underlying library supports all hashes in the TOTP RFC specification so other hashing algorithms are possible) that let you have the secret key.


To install simply drop the KeeOtp.dll and the OtpSharp.dll in the root of your KeePass directory. The dlls can be obtained either by building the source yourself using msbuild or by downloading the latest zip file on the downloads section of this site.


This works by storing a shared secret key in your encrypted KeePass database and using that information coupled with the current time to generate rolling codes that can be entered into the verification system. You will need to generate a current code from the key stored in the KeePass database each time you need to re-authenticate.

Initial Setup

When enabling TOTP on your verification system, you will be provided with a key. Often this comes in the form of a QR code. In most cases you can also get a base32 encoded key as well. This can be of varying lengths. Once the plugin is installed, every entry in KeePass will have a new option labeled "One Time Password" in the context menu of the entry.

Right click on the entry that you wish to add TOTP to (or create a new one) and select the "One Time Password" option. If there is no key associated with that entry, you will be taken to a form where you can enter it.

Paste the key into the textbox and click OK. You should now be looking at a rolling time based authentication code for that key.

Clock Drift

KeeOtp relies on the current time in order to accurately produce a TOTP verification code. If your clock is off significantly from the clock of the server then they may not accept the code. You should ensure that your system clock is set correctly. TOTP is a rather precise operation so an incorrect time by even a minute will likely render your codes invalid (unless the verifying system accepts a wide range of codes). Additionally the time zone setting must also be correct since TOTP codes are calculated against UTC. If your timezone setting (or daylight savings setting) is incorrect the time could differ from the verifying system's time by hours.

There is currently no setting to apply a time correction factor to the code generation so it is up to you to ensure a correct system time.

Obtaining an authentication code

Simply right click on the entry in KeePass and select "One Time Password" You will be shown the current password as well as the amount of time that it will remain current (the service may choose to accept a range of codes in addition to the current code.)

Alternatively you can select the "Copy TOTP to Clipboard" option to put the current TOTP in the clipboard. It will be automatically cleared as per your KeePass clipboard settings.

Auto Type

As of version 1.0.4 there is a custom placeholder that allows a TOTP code to be entered into the system with the KeePass auto type system. To configure this go into the settings of your KeePass entry that contains your TOTP key. Navigate to the Auto-Type tab. Configure your custom sequence with the placeholder {totp}. The {totp} will be replaced with your current totp authentication code.