I'd recommend going (and I do) one step further: lock down the KP config file, and especially the keyfile (definitely use this in addition to a password), to admins only and set the .exe to launch as administrator. The .exe is signed, so at least you have some guarantee it hasn't been modified. Plus, the UAC prompt doesn't look scary like it does for unsigned exes. The password DB (kdbx) can have standard access permissions so it works with whatever sync/backup (Google Drive, Dropbox, etc) you want to use. It's worthless without the keyfile.<p>Executables running as administrator have all sorts of protections from other processes in user-land, and most importantly, the keyfile (locked to R/W only by admin) can't be Xcopy exfiltrated by a bog-standard malware process accidentally launched by clicking the wrong thing.<p>It never made sense to me why this isn't a common recommendation. To me, my password DB, and especially the keyfile and/or the process that decrypts the secrets in memory, are the most important things on my device. Those belong at the highest level of security an OS can offer, not running at the same level as some crap I downloaded from the internet.<p>I know KeePass also offers Windows DPAPI as an additional option (encryption at the user level.) It's been a while since I've dug into DPAPI, but that may offer additional advantages as long as Windows doesn't allow the RSA private key for a user to be extracted running as that user. That, of course, has the significant disadvantage of not being portable, and you better backup that RSA key.