Update all documentation for 2.7.0

* Update INSTALL.md to align with Wiki
* Add sections for new 2.7.0 features including Quick Unlock, Tags, Browser Integration settings, Auto-Type improvements, etc.
* Update all documentation images to show new interface details
* Expand documentation for database operations

INSTALL.md

@@ -14,18 +14,19 @@ The following tools must exist within your PATH:
 * make
 * cmake (>= 3.3.0)
 * g++ (>= 4.7) or clang++ (>= 6.0)
-* asciidoctor
+* asciidoctor (>= 2.0)
 
 The following libraries are required:
 
 * Qt 5 (>= 5.9.5): qtbase5, qtbase5-private, libqt5svg5, qttools5, qt5-image-formats-plugins
 * botan (>= 2.12)
+* libargon2
 * zlib
 * minizip
 * readline (for completion in cli)
-* libqt5x11extras5, libxi, and libxtst (for auto-type on X11)
+* qtx11extras, libxi, and libxtst (for auto-type on X11)
 * qrencode
-* libusb-1.0, pcsclite (optional to support YubiKey on Linux)
+* libusb-1.0, pcsc-lite (for Yubikey support on Linux)
 
 Prepare the Building Environment
 ================================
@@ -38,110 +39,119 @@ Build Steps
 ===========
 We recommend using the release tool to perform builds, please read up-to-date instructions [on our wiki](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC#building-using-the-release-tool).
 
-To compile from source, open a **Terminal (on Linux/MacOS)** or a **MSYS2-MinGW shell (on Windows)**<br/>
-**Note:** on Windows you can also use MSVC to build natively, we recommend Visual Studio 2019
+To compile from source, open a **Terminal (Linux/MacOS)**, the **MSVC Tools Command Prompt (Windows)**, or **MSYS2-MinGW shell (Windows)**. For code development on Windows, you can use Visual Studio 2022, Visual Studio Code, or CLion.
 
-First, download the KeePassXC [source tarball](https://keepassxc.org/download#source)
-or check out the latest version from our [Git repository](https://github.com/keepassxreboot/keepassxc).
+1. Download the KeePassXC [source tarball](https://keepassxc.org/download#source) or check out the latest version from our [Git repository](https://github.com/keepassxreboot/keepassxc).
 
-To clone the project from Git, `cd` to a suitable location and run
+   To clone the project from Git, `cd` to a suitable location and run
 
-```bash
-git clone https://github.com/keepassxreboot/keepassxc.git
-```
+   ```
+   git clone https://github.com/keepassxreboot/keepassxc.git
+   ```
 
-This will clone the entire contents of the repository and check out the current `develop` branch.
+   This will clone the entire contents of the repository and check out the current `develop` branch.
 
-To update the project from within the project's folder, you can run the following command:
+   To update the project from within the project's folder, you can run the following command:
 
-```bash
-git pull
-```
+   ```
+   git pull
+   ```
 
-For a stable build, it is recommended to checkout the master branch.
+   For a stable build, it is recommended to check out the master branch.
 
-```bash
-git checkout master
-```
+   ```
+   git checkout master
+   ```
 
-NOTE: See the [Windows Build Instructions](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC#windows) for building with MSVC.
+2. Navigate to the directory where you have downloaded KeePassXC and type these commands:
 
-Navigate to the directory where you have downloaded KeePassXC and type these commands:
+   ```
+   mkdir build
+   cd build
+   cmake -DWITH_XC_ALL=ON ..
+   make
+   ```
+
+Note: These steps place the compiled KeePassXC binary inside the `./build/src/` directory.
+
+## MacOS Build Notes
+
+If you installed Qt5 via Homebrew, you should be able to compile KeePassXC without any changes. If CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
+
+`-DCMAKE_PREFIX_PATH=/usr/local/opt/qt/lib/cmake`
+
+(or whatever your Qt installation path is)
+
+When building with ASAN support on macOS, you need to use `export ASAN_OPTIONS=detect_leaks=0` before running the tests (LSAN is no supported on macOS).
+
+## Windows Build Notes
+
+For detailed build steps see the [Windows Build Instructions](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC#windows).
+
+If you are using MSVC, you may have to specify your Vcpkg toolchain by adding the following CMake parameter: `-DCMAKE_TOOLCHAIN_FILE=C:\vcpkg\scripts\buildsystems\vcpkg.cmake`
+
+If you are using MSYS2, you have to add ```-G "MSYS Makefiles"``` at the beginning of the cmake command.
+
+CMake Configuration Options
+==========================
+
+## Common Parameters
 
 ```
-mkdir build
-cd build
-cmake -DWITH_XC_ALL=ON ..
-make
+-DCMAKE_INSTALL_PREFIX=/usr/local
+-DCMAKE_VERBOSE_MAKEFILE=ON
+-DCMAKE_BUILD_TYPE=<RelWithDebInfo/Debug/Release>
+-DWITH_GUI_TESTS=ON
 ```
 
-NOTE: If you are using MSYS2, you may have to add ```-G "MSYS Makefiles"``` to the beginning of the cmake command.
+## KeePassXC Parameters
 
-These steps place the compiled KeePassXC binary inside the `./build/src/` directory.
-(Note the cmake notes/options below.)
+KeePassXC comes with a variety of build options that can turn on/off features. Most notably, we allow you to build the application with all TCP/IP networking code disabled. Please note that we still require and link against Qt5's network library in order to use local named pipes on all operating systems. Each of these build options are supplied at the time of calling cmake:
 
-**Cmake Notes:**
+```
+-DWITH_XC_AUTOTYPE=[ON|OFF] Enable/Disable Auto-Type (default: ON)
+-DWITH_XC_YUBIKEY=[ON|OFF] Enable/Disable YubiKey HMAC-SHA1 authentication support (default: OFF)
+-DWITH_XC_BROWSER=[ON|OFF] Enable/Disable KeePassXC-Browser extension support (default: OFF)
+-DWITH_XC_NETWORKING=[ON|OFF] Enable/Disable Networking support (e.g., favicon downloading) (default: OFF)
+-DWITH_XC_SSHAGENT=[ON|OFF] Enable/Disable SSHAgent support (default: OFF)
+-DWITH_XC_FDOSECRETS=[ON|OFF] (Linux Only) Enable/Disable Freedesktop.org Secrets Service support (default:OFF)
+-DWITH_XC_KEESHARE=[ON|OFF] Enable/Disable KeeShare group synchronization extension (default: OFF)
+-DWITH_XC_ALL=[ON|OFF] Enable/Disable compiling all plugins above (default: OFF)
 
-* Common cmake parameters
+-DWITH_XC_UPDATECHECK=[ON|OFF] Enable/Disable automatic updating checking (requires WITH_XC_NETWORKING) (default: ON)
 
-	```
-	-DCMAKE_INSTALL_PREFIX=/usr/local
-	-DCMAKE_VERBOSE_MAKEFILE=ON
-	-DCMAKE_BUILD_TYPE=<RelWithDebInfo/Debug/Release>
-	-DWITH_GUI_TESTS=ON
-	```
+-DWITH_TESTS=[ON|OFF] Enable/Disable building of unit tests (default: ON)
+-DWITH_GUI_TESTS=[ON|OFF] Enable/Disable building of GUI tests (default: OFF)
+-DWITH_DEV_BUILD=[ON|OFF] Enable/Disable deprecated method warnings (default: OFF)
+-DWITH_ASAN=[ON|OFF] Enable/Disable address sanitizer checks (Linux / macOS only) (default: OFF)
+-DWITH_COVERAGE=[ON|OFF] Enable/Disable coverage tests (GCC only) (default: OFF)
+-DWITH_APP_BUNDLE=[ON|OFF] Enable Application Bundle for macOS (default: ON)
 
-* cmake accepts the following options:
-
-	```
-	  -DWITH_XC_AUTOTYPE=[ON|OFF] Enable/Disable Auto-Type (default: ON)
-	  -DWITH_XC_YUBIKEY=[ON|OFF] Enable/Disable YubiKey HMAC-SHA1 authentication support (default: OFF)
-	  -DWITH_XC_BROWSER=[ON|OFF] Enable/Disable KeePassXC-Browser extension support (default: OFF)
-	  -DWITH_XC_NETWORKING=[ON|OFF] Enable/Disable Networking support (e.g., favicon downloading) (default: OFF)
-	  -DWITH_XC_SSHAGENT=[ON|OFF] Enable/Disable SSHAgent support (default: OFF)
-	  -DWITH_XC_FDOSECRETS=[ON|OFF] (Linux Only) Enable/Disable Freedesktop.org Secrets Service support (default:OFF)
-	  -DWITH_XC_KEESHARE=[ON|OFF] Enable/Disable KeeShare group synchronization extension (default: OFF)
-	  -DWITH_XC_ALL=[ON|OFF] Enable/Disable compiling all plugins above (default: OFF)
-
-	  -DWITH_XC_UPDATECHECK=[ON|OFF] Enable/Disable automatic updating checking (requires WITH_XC_NETWORKING) (default: ON)
-
-	  -DWITH_TESTS=[ON|OFF] Enable/Disable building of unit tests (default: ON)
-	  -DWITH_GUI_TESTS=[ON|OFF] Enable/Disable building of GUI tests (default: OFF)
-	  -DWITH_DEV_BUILD=[ON|OFF] Enable/Disable deprecated method warnings (default: OFF)
-	  -DWITH_ASAN=[ON|OFF] Enable/Disable address sanitizer checks (Linux / macOS only) (default: OFF)
-	  -DWITH_COVERAGE=[ON|OFF] Enable/Disable coverage tests (GCC only) (default: OFF)
-	  -DWITH_APP_BUNDLE=[ON|OFF] Enable Application Bundle for macOS (default: ON)
-
-	  -DKEEPASSXC_BUILD_TYPE=[Snapshot|PreRelease|Release] Set the build type to show/hide stability warnings (default: "Snapshot")
-	  -DKEEPASSXC_DIST_TYPE=[Snap|AppImage|Other] Specify the distribution method (default: "Other")
-	  -DOVERRIDE_VERSION=[X.X.X] Specify a version number when building. Used with snapshot builds (default: "")
-	  -DGIT_HEAD_OVERRIDE=[XXXXXXX] Specify the 7 digit git commit ref for this build. Used with distribution builds (default: "")
-	```
-
-* If you are on MacOS you must add this parameter to **Cmake**, with the Qt version you have installed<br/> `-DCMAKE_PREFIX_PATH=/usr/local/Cellar/qt5/5.6.2/lib/cmake/`
-
-:exclamation: When building with ASan support on macOS, you need to use `export ASAN_OPTIONS=detect_leaks=0` before running the tests (no LSan support in macOS).
+-DKEEPASSXC_BUILD_TYPE=[Snapshot|PreRelease|Release] Set the build type to show/hide stability warnings (default: "Snapshot")
+-DKEEPASSXC_DIST_TYPE=[Snap|AppImage|Other] Specify the distribution method (default: "Other")
+-DOVERRIDE_VERSION=[X.X.X] Specify a version number when building. Used with snapshot builds (default: "")
+-DGIT_HEAD_OVERRIDE=[XXXXXXX] Specify the 7 digit git commit ref for this build. Used with distribution builds (default: "")
+```
 
 Installation
 ============
 
 After you have successfully built KeePassXC, install the binary by executing the following:
 
-```bash
+```
 sudo make install
 ```
 
-You can specify the destination dir with
-```
-DESTDIR=X
-```
-
-
 Packaging
 =========
 
-You can create a package to redistribute KeePassXC (zip, deb, rpm, dmg, etc..). Refer to [keepassxc-packaging](https://github.com/keepassxreboot/keepassxc-packaging)
+You can create a package to redistribute KeePassXC (zip, deb, rpm, dmg, etc..). Refer to [keepassxc-packaging](https://github.com/keepassxreboot/keepassxc-packaging) for packaging scripts.
 
+To package using CMake, run the following command using whichever [generators](https://cmake.org/cmake/help/latest/manual/cpack-generators.7.html) you would like to package with.
+
+```
+cpack -G "ZIP;WIX"
+```
 
 Testing
 =======
@@ -151,7 +161,7 @@ You can perform tests on the built executables with:
 make test ARGS+="--output-on-failure"
 ```
 
-If you are not currently running on an X Server or Wayland, run the tests as follows:
+On Linux, if you are not currently running on an X Server or Wayland, run the tests as follows:
 ```
 make test ARGS+="-E test\(cli\|gui\) --output-on-failure"
 xvfb-run -e errors -a --server-args="-screen 0 1024x768x24" make test ARGS+="-R test\(cli\|gui\) --output-on-failure"

docs/topics/AutoType.adoc

@@ -12,21 +12,27 @@ WARNING: Auto-Type will be disabled when run with a Wayland compositor on Linux.
 === Configure Global Auto-Type
 You can define a global Auto-Type hotkey that starts the Auto-Type process. To configure the hotkey, perform the following steps:
 
-1. Navigate to _Tools_ -> _Settings_ -> Auto-Type tab *(1)*. Click into the _Global Auto-Type shortcut_ box and press the desired key combination that will trigger the Auto-Type process *(2)*.
-+
+Navigate to _Tools_ -> _Settings_ -> Auto-Type tab *(1)*. Click into the _Global Auto-Type shortcut_ box and press the desired key combination that will trigger the Auto-Type process *(2)*.
+
 .Auto-Type settings
 image::autotype_settings.png[]
-+
+
 You can configure additional Auto-Type settings in this window such as start delay, inter-key typing delay, and matching options. If Auto-Type is not working well for you, try adjusting the default delays.
 
+You can also set the time to remember the last used entry between presses of the global Auto-Type hotkey. This is useful for typing parts of a sequence during complex login workflows without having to find the specific each time.
+
 === Configure Auto-Type Sequences
 Each entry in your database can have multiple Auto-Type sequences associated with various window titles. Simulated key presses can be sent to any other currently open window of your choice (web browser windows, login dialogs boxes, and so on). When the Global Auto-Type hotkey is pressed, KeePassXC will search your database for entries matching the current selected window title.
 
 NOTE: The default Auto-Type sequence is `{USERNAME}{TAB}{PASSWORD}{ENTER}`. This means that it first types the username of the selected entry, then presses the `Tab` key, then types the password of the entry and finally presses the `Enter` key.
 
+TIP: To change the default Auto-Type sequence for all entries of your database, edit the root (top-most) group of your database and set a specific sequence. Child groups and entries will inherit this sequence by default.
+
 To configure Auto-Type sequences for your entries, perform the following steps:
 
-1.	Navigate to the entries list and open the desired entry for editing. Click the _Auto-Type_ item from the left-hand menu bar *(1)*. Press the `+` button *(2)* to add a new sequence entry. Select the desired window using the drop-down menu, or simply type a window title in the box *(3)*. You can use wildcard `*` to match any value (e.g., when a window title contains a filename or website name).
+1.	Navigate to the entries list and open the desired entry for editing. Click the _Auto-Type_ item from the left-hand menu bar *(1)*. Press the `+` button *(2)* to add a new sequence entry. Select the desired window using the drop-down menu, or simply type a window title in the box *(3)*.
++
+TIP: You can use an asterisk (`\*`) to match any value (e.g., when a window title contains a dynamic filename or website name). Set the window title to `*` to match all windows. Leave the window title blank to offer additional default Auto-Type sequences, such as custom attributes.
 +
 .Auto-Type entry sequences
 image::autotype_entry_sequences.png[]
@@ -43,7 +49,7 @@ image::autotype_entry_sequences.png[]
 |{URL}      |URL
 |{NOTES}    |Notes
 |{TOTP}     |Current TOTP value (if configured)
-|{S:<ATTRIBUTE_NAME>}   |Value for the given attribute name
+|{S:ATTRIBUTE_NAME}   |Value for the given attribute name (e.g., {S:Address})
 |===
 +
 [grid=rows, frame=none, width=90%]
@@ -55,7 +61,7 @@ image::autotype_entry_sequences.png[]
 
 |{UP}, {DOWN}, {LEFT}, {RIGHT}  |Press the corresponding arrow key
 |{LEFTBRACE}, {RIGHTBRACE}      |Press `{` or `}`, respectively
-|{<KEY> X}     |Repeat <KEY> X times (e.g., {SPACE 5} inserts five spaces)
+|{&lt;KEY&gt; X}     |Repeat &lt;KEY&gt; X times (e.g., {SPACE 5} inserts five spaces)
 |{DELAY=X}     |Set delay between key presses to X milliseconds
 |{DELAY X}     |Pause typing for X milliseconds
 |{CLEARFIELD}  |Clear the input field
@@ -81,7 +87,9 @@ Search the unlocked databases by activating Search Database radio button. Use th
 .Additional Auto-Type choices
 image::autotype_selection_dialog_type_menu.png[,70%]
 
-The option to type just the username, password, or current TOTP value is available by right clicking the desired row or expanding the Type Sequence button options.
+The option to type just the username, password, or current TOTP value is available by right-clicking the desired row or expanding the Type Sequence button options. You can also copy these values to the clipboard.
+
+TIP: On Windows, you will see an option to use a virtual keyboard in this sub-menu. This is an experimental feature that allows you to type into virtual machines by simulating actual keyboard presses. Some international keyboards may be unsupported due to limitations in the Windows API.
 
 === Performing Entry-Level Auto-Type
 You can quickly activate the default Auto-Type sequence for a particular entry using Entry-Level Auto-Type. For this operation, the KeePassXC window will be minimized and the Auto-Type sequence occurs in the previously selected window. You can perform Entry-Level Auto-Type from the toolbar icon *(A)*, entry context menu *(B)*, or by pressing `Ctrl+Shift+V`.

docs/topics/BrowserPlugin.adoc

@@ -23,6 +23,8 @@ You can download the KeePassXC-Browser extension from your web browser. To downl
 
 2. Click the button to install/add the extension to the browser. Accept any confirmation dialogs.
 
+TIP: For the most up-to-date troubleshooting advice on all platforms, please read our https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide[Troubleshooting Guide].
+
 // tag::advanced[]
 NOTE: When Microsoft Edge is installed as a managed application, system administrators are required to deploy a custom native messaging configuration. Instructions for this are found in the advanced section below.
 // end::advanced[]
@@ -89,6 +91,12 @@ image::browser_confirm_access_dialog.png[,80%]
 image::browser_fill_credentials.png[,80%]
 
 // tag::advanced[]
+=== Browser statistics
+You can see a cross-section of all browser-related settings applied to entries within a database through the Browser Statistics report. To access these, use the _Database_ -> _Database reports..._ menu option then click on _Browser Statistics_ on the left-hand menu. From here you can see all entries with URLs applied to them, explicitly allowed and denied URLs, and any entries with custom browser settings.
+
+.Browser statistics
+image::browser_statistics.png[]
+
 === Advanced Usage
 You can configure unique browser integration behavior for each entry. This allows you to add multiple URLs to an entry, hide an entry from the browser integration, and more. To access these settings, open an entry for editing then click on _Browser Integration_ option in the left-hand menu *(1)*.
 
@@ -97,6 +105,11 @@ After opening the settings you can add any number of additional URLs by clicking
 .Entry browser settings
 image::browser_entry_settings.png[]
 
+To set options for all entries within a group, edit the group and go to the browser integration section *(1)*. Here you can explicitly disable access to all entries under a group hierarchy to the browser extension. You can set other useful options for groups of entries as well.
+
+.Group browser settings
+image::browser_group_settings.png[]
+
 Database-wide operations are available in the database settings. To access these use the _Database_ -> _Database settings..._ menu option. Click on _Browser Integration_ on the left-hand menu. From here you can disconnect all browsers, convert legacy KeePass-HTTP settings, reset all entry-level settings, and refresh the database root group ID (useful when making copies of your database file).
 
 .Database browser settings

docs/topics/DatabaseOperations.adoc

@@ -58,6 +58,37 @@ image::unlock_database.png[]
 .Unlocked database
 image::database_view.png[]
 
+=== Quick Unlock
+On Windows and macOS, subject to hardware availability, your credentials can be securely stored to enable subsequent unlocking of your database through biometric authentication. This is enabled by default on Windows using _Windows Hello_ and on macOS using _Touch ID or Apple Watch_ services. You can disable this feature in the Application Settings under the Security section.
+
+NOTE: On Windows you will be prompted to authenticate to Windows Hello on the initial database unlock. This is required to access the hardware certificate store that encrypts your credentials.
+
+.Windows Hello example
+image::quick_unlock_windows_hello.png[]
+
+When your database is locked, you will see the following unlock dialog. Simply press _Enter_ or click on _Unlock Database_ to initiate the biometric authentication process. If you are using a hardware key (e.g. Yubikey), it must be connected to your computer to complete the unlock.
+
+.Quick Unlock
+image::quick_unlock.png[]
+
+// tag::advanced[]
+=== Expired Entries
+By default, KeePassXC will show entries that are expired or will be expiring within 3 days after unlocking the database. This feature allows you to change your passwords before they expire and be aware of passwords that are no longer valid. You can disable or change this feature in the Application Settings.
+
+=== Advanced Save Options
+There are three ways that KeePassXC can handle database files. This behavior is set in the Application Settings under _File Operations_.
+
+1. _(Default)_ *Safe saves* create a temporary database file alongside the existing one and atomically move it into place when all writing is complete. This prevents database corruption in the case of application crashes, loss of power, or other interruptions.
+
+2. *Temporary file saves* create a database in the temporary files folder. This database is then moved into place overtop of the existing file. Although rare, interruptions in this move process could leave your database in an unknown state. This option is useful for overcoming poorly behaved cloud sync tools.
+
+3. *Direct-write saves* write directly to the existing database file. This is an unsafe operation since any interruption can leave your entire database inaccessible. We only recommend using this option when interfacing with Linux GVFS services (e.g. Google Cloud on Gnome) and other types of storage services that host a virtual drive system.
+
+In addition to these save options, KeePassXC can create a backup of your existing database file just prior to saving. This backup can be placed in a custom folder with a custom file naming scheme.
+
+image::save_options.png[]
+// end::advanced[]
+
 === Adding an Entry
 All the details such as usernames, passwords, URLs, attachments, notes, and so on are stored in database entries. You can create as many entries as you want in the database.
 
@@ -69,10 +100,17 @@ To add an entry, perform the following step:
 image::edit_entry.png[]
 
 2. Enter a desired title for the entry, username, password, URL, and notes on this screen.
+   a. Your most frequently used usernames will automatically be available in the username drop-down menu. They will also auto-complete for you when typing.
 
-3. _(Optional)_ Select the Expires check-box to set the expiry date for the password. You can manually enter the date and time or click the Presets button to select a expiry date and time for your password.
+   b. You can generate a secure random password by clicking the dice icon in the password field to launch the password generator. Reveal the password by clicking the eye icon.
 
-4. Click *OK* to add the entry to your database.
+   c. After you add a URL to an entry you can press the download button to automatically download the website's icon for this entry.
+
+3. _(Optional)_ Add tags to the entry to quickly search for it using the tags panel on the main database view. You can easily add new tags or select existing ones from the drop-down list.
+
+4. _(Optional)_ Select the _Expires_ check-box to set the expiry date for the password. You can manually enter the date and time or click the _Presets_ button to select an expiry date and time for your password.
+
+5. Click *OK* to add the entry to your database.
 
 === Editing an Entry
 To edit the details in an entry, perform the following steps:
@@ -85,6 +123,28 @@ To edit the details in an entry, perform the following steps:
 
 4. Click *OK*.
 
+=== Adding TOTP to an Entry
+Timed One-Time Passwords (TOTP) are a popular choice for two-factor authentication methods. These codes are typically six digits long and change every 30 seconds. They are derived from a shared secret value and the current time. Once set up, KeePassXC can calculate TOTP codes like any authenticator app, such as Google Authenticator. The codes can be used with copy/paste, browser extension, and Auto-Type.
+
+TIP: Your computer time must be synchronized with an internet time source to generate valid TOTP codes, https://www.nist.gov/pml/time-and-frequency-division/time-distribution/internet-time-service-its[read more here].
+
+WARNING: Storing TOTP codes in the same database as the password will eliminate the advantages of two-factor authentication. If you desire maximum security, we recommend keeping TOTP codes in a separate database that you only unlock when needed.
+
+To add TOTP to a database entry, you must first retrieve the secret string from the website or application you are authenticating to. Often this secret is accompanied with a QR code and can be copy/pasted below. Example:
+
+.Example TOTP Secret
+image::totp_code_example.png[,40%]
+
+Once obtained, right-click the desired entry *(1)*, choose _TOTP_ -> _Set up TOTP..._ *(2)*, and the setup dialog will appear. In that dialog, paste the secret code from the website *(3)*, setup any custom settings (rare) *(4)*, then press OK to save the settings.
+
+.TOTP Setup Process
+image::totp_setup.png[]
+
+After an entry is configured with TOTP, you will see a clock icon in that entry's row and have the ability to reveal the current code in the preview pane. Additionally, you can navigate to the entry's _TOTP_ menu to show the code in a separate window. You can also view the secret and configuration as a QR code for exporting to a mobile device. TOTP codes can be entered into forms with the browser extension, with Auto-Type by using the `{TOTP}` placeholder, or via menu options in the Auto-Type selection dialog.
+
+.TOTP Usage
+image::totp_usage_examples.png[]
+
 === Deleting an Entry
 To delete an entry, perform the following steps:
 
@@ -143,9 +203,10 @@ The following fields can be searched along with their abbreviated name in parent
 * Password (p, pw)
 * URL
 * Notes (n)
-* Attribute (attr)
+* Attribute names and values (attr)
 * Attachment (attach)
 * Group (g)
+* Entry State (is:expired, is:weak)
 
 === Wild Card Characters and Logical Operators
 [grid=rows, frame=none, width=70%]
@@ -173,7 +234,10 @@ The following tables lists a few samples search queries for your reference:
 |Search the username field for exactly johnsmith, the URL must not contain www.google.com, and notes contains secret note [digit].
 
 |`+attr:mystring123`
-|Searches all Additional Attributes for any name OR value equal to mystring123.
+|Searches all additional attributes for any name OR value equal to mystring123.
+
+|`is:expired is:weak`
+|Searches for all expired entries with weak passwords.
 |===
 
 == Advanced Entry Options
@@ -202,7 +266,7 @@ image::edit_entry_colors.png[]
 === Icons
 You can select an icon to be displayed with each entry for easy identification. KeePassXC comes with a set of default icons that you can use or you can use your own custom icons. If you defined a URL with an entry, you can also download the favorite icon for that particular website.
 
-NOTE: To delete a custom icon, select the item to be deleted and click the _Delete custom icon_ button.
+NOTE: To delete a custom icon, go to xref:UserGuide.adoc#_database_maintenance[Database Maintenance] where you can purge unused icons and delete one or more icons at a time.
 
 .Entry icon selection
 image::edit_entry_icons.png[]
@@ -216,7 +280,7 @@ KeePassXC lets you view the basic properties such as date and time of creation,
 image::edit_entry_properties.png[]
 
 === History
-KeePassXC maintains a history of changes you make to your entries. Each time you change an entry, KeePassXC automatically creates a backup copy of the current, non-modified entry before saving the new values. You can view the changes you made previously, restore, and delete the history of changes you made.
+KeePassXC maintains a history of changes you make to your entries. Each time you change an entry, KeePassXC automatically creates a backup copy of the current, non-modified entry before saving the new values. You can view the changes you made previously, restore, and delete the history of changes you made. The age of the history item, the changes that were made, and the entry's size are shown in the table view.
 
  * Show: Display this history item for review, a read-only copy of the entry will be shown.
  * Restore: Reinstate the selected history item as the active entry details.
@@ -298,7 +362,12 @@ The following key derivation functions are supported:
 
  * AES-KDF (KDBX 4 and KDBX 3.1): This key derivation function is based on iterating AES. Users can change the number of iterations. The more iterations, the harder are dictionary and guessing attacks, but also database loading/saving takes more time (linearly). KDBX 3.1 only supports AES-KDF; any other key derivation function, like for instance Argon2, requires KDBX 4.
 
- * Argon2 (KDBX 4 - recommended): KDBX 4, the Argon2 key derivation function can be used for transforming the composite master key (as protection against dictionary attacks). The main advantage of Argon2 over AES-KDF is that it provides a better resistance against GPU/ASIC attacks (due to being a memory-hard function). The number of iterations scales linearly with the required time. By increasing the memory parameter, GPU/ASIC attacks become harder (and the required time increases). The parallelism parameter can be used to specify how many threads should be used.
+ * Argon2 (KDBX 4 - recommended): KDBX 4, the Argon2 key derivation function can be used for transforming the composite master key (as protection against dictionary attacks). The main advantage of Argon2 over AES-KDF is that it provides a better resistance against GPU/ASIC attacks (due to being a memory-hard function). The number of iterations scales linearly with the required time. By increasing the memory parameter, GPU/ASIC attacks become harder and the required time increases. The parallelism parameter can be used to specify how many threads should be used. We recommend using Argon2id to prevent against  timing-based attacks. Argon2d offers maximum compatibility with other KeePass-based apps, the default settings provide sufficient protection against any known attacks.
+
+== Database Maintenance
+KeePassXC offers some maintenance features that can be applied to clean up your database. Navigate to _Database_ -> _Database settings_ then click on _Maintenance_ on the left hand panel. The following screen appears. On this screen you can delete multiple icons at once and purge any unused icons in your database.
+
+image::database_maintenance.png[]
 
 === Creating a YubiKey backup
 It is advisable to have a backup replica YubiKey In case your main YubiKey gets damaged, lost, or stolen. The same HMAC key will need to be written to both keys. To do this you can either use the YubiKey Personalization Tool GUI or the ykpersonalize CLI tool. The steps for the CLI tool are shown:
@@ -315,19 +384,22 @@ dd status=none if=/dev/random bs=20 count=1 | xxd -p -c 40
 ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -oallow-update
 ```
 
-You will be asked to enter the HMAC key you created earlier, copy/paste they key output in the first step. Repeat both steps for your second YubiKey. We recommend storing your HMAC key in a safe place (e.g., printed on paper) in case you need to recreate another key.
+You will be asked to enter the HMAC key you created earlier, copy/paste they key output in the first step. Repeat step 2 for your second YubiKey using the same HMAC key from before. We recommend storing your HMAC key in a safe place (e.g., printed on paper) in case you need to recreate another key.
+
+== Command Line Tool
+KeePassXC comes with the command line tool *keepassxc-cli* to access, view, and manipulate your database directly from a terminal window. The tool is documented through a separate man page, which can be shown using `man keepassxc-cli`, or through the on-demand help using `keepassxc-cli [command] -h`. An online version of the man page is https://github.com/keepassxreboot/keepassxc/blob/master/docs/man/keepassxc-cli.1.adoc[available on GitHub].
 // end::advanced[]
 
 == Storing a Database File
 The database file that you create might contain highly sensitive data and must be stored in a very secure way. You must make sure that the database is always protected with a strong and long password. The database file that is protected with a strong and long password is secure and encrypted while stored on your computer or cloud storage service.
 
-Make sure that the database file is stored in a folder that is secure. Make sure that you or someone else does not accidentally delete the database file. Deletion of the database file will result in the total loss of your information and a lot of inconvenience to manually retrieve your logins for  various web applications. You must not share your database file with anyone unless absolutely necessary.
+Make sure that you or someone else does not accidentally delete the database file. Deletion of the database file will result in the total loss of all your information (including all your passwords!) and a lot of inconvenience to manually retrieve your logins for various web applications. Do not share the credentials to access your database file with anyone unless you absolutely trust them (spouse, child, etc.).
+
+TIP: You can safely store your database file in the cloud (e.g., OneDrive, Dropbox, Google Drive, Nextcloud, Syncthing, etc). The database file is always fully encrypted; unencrypted data is never written to disk and is never accessible to your cloud storage provider. We recommend using a storage service that keeps automatic backups (version history) of your database file in the event of corruption or accidental deletion.
 
 ==  Backing up a Database File
 It is a good practice to create copies of your database file and store the copies of your database on a different computer, smart phone, or cloud storage space such a Google Drive or Microsoft OneDrive. Backups can be created automatically by selecting the _Backup database file before saving_ option in the application settings. Additionally, you can create a backup on-demand using the _Database_ -> _Save Database Backup..._ menu feature.
 
 .Saving a database backup
 image::save_database_backup.png[,40%]
-
-Creating backups for your database give you a peace of mind should you lose one copy of your database. You can quickly retrieve the copy of your database and start using it.
 // end::content[]

docs/topics/DownloadInstall.adoc

@@ -43,6 +43,14 @@ image::install_wizard_1.png[,80%]
 .Install wizard (cont)
 image::install_wizard_2.png[,80%]
 
+The following options can be set when running the MSI in an unattended installation:
+
+* *LAUNCHAPPONEXIT* - Launch KeePassXC after install (default ON)
+* *AUTOSTARTPROGRAM* - KeePassXC will auto-start on login (default ON)
+* *INSTALLDESKTOPSHORTCUT* - A desktop icon will be installed (default OFF)
+
+Example: `msiexec.exe /q /i KeePassXC-Y.Y.Y-WinZZ.msi AUTOSTARTPROGRAM=0`
+
 === Linux
 You can easily download the KeePassXC installer for Linux. When you search for KeePassXC, multiple options are displayed as shown in the following screen:
 

docs/topics/ImportExport.adoc

@@ -21,10 +21,10 @@ To open the CSV file, perform the following steps:
 
 3. Navigate to the location of the your CSV file on your computer and open the file. The new database wizard will appear. Follow the steps of creating a new database in Chapter 1.
 
-4. After saving your new database file, the CSV import wizard will appear:
+4. After saving your new database file, the CSV import wizard will appear. On this dialog you can choose the various options for properly importing the data. You may need to select the _First line has field names_ checkbox before starting. Analyze the output in the preview at the bottom to determine the correct import settings.
 +
 .CSV Import Wizard
-image::csv_import.png[,80%]
+image::csv_import.png[]
 
 Your CSV file gets imported to KeePassXC and the data is converted to the KeePassXC format for further usage and maintenance. The new database file is saved on to your computer with the default `.kdbx` extension.
 
@@ -55,9 +55,9 @@ To import a KeePass 1 database file in KeePassXC, perform the following steps:
 6. The data from the `.kdb` file gets imported and converted to the new format, which is compatible with KeePassXC. You can now start using the new database file (`.kdbx`) in KeePassXC.
 
 == Exporting Databases
-KeePassXC supports multiple ways to export your database for transfer to another program or to print out and archive. To export your database into the KDB XML format, you must use the KeePassXC Command Line Interface program: `keepassxc-cli export <database.kdbx>`.
+KeePassXC supports multiple ways to export your database for transfer to another program or to print out and archive. To export your database into the KDB XML format, you must use the KeePassXC CLI: `keepassxc-cli export <database.kdbx>`.
 
-WARNING: Exporting your database will result in all of your passwords and sensitive information being stored unencrypted. We do not recommend saving your exported database for long periods of time as that can cause compromise.
+WARNING: Exporting your database will result in all of your passwords and sensitive information being stored in an unencrypted format. We do not recommend saving your exported database for long periods of time as that can cause a compromise of sensitive information.
 
 .Database export menu
 image::export_database.png[,80%]

docs/topics/KeeShare.adoc

@@ -11,7 +11,7 @@ To use sharing, you need to enable it for the application.
 
 1. Go to _Tools_ -> _Settings_. Select the KeeShare category on the left sidebar *(1)*.
 2. Check _Allow import_ if you want to import shared credentials. Check _Allow export_ if you want to share credentials. *(2)*
-3. (Optional) Click _Generate_ *(3)* to create your own certificate or _Import_ to select an existing one. The certificate allows you to sign shared databases. This ensures the integrity of the share and prevent import of untrusted information.
+3. (Optional) Click _Generate_ *(3)* to create your own signing certificate. If you are using signed shares then your signing certificate will be used to generate the signature. *_This feature is deprecated and will be removed in a future version._*
 
 .KeeShare Application Settings
 image::keeshare_application_settings.png[]

docs/topics/PasswordGenerator.adoc

@@ -26,10 +26,9 @@ image::password_generator.png[]
 +
 .Advanced Password Generator Options
 image::password_generator_advanced.png[]
-8. When generating a password for an entry, click the Apply Password button (Ctrl + S or Ctrl + Enter) to close the window and apply your changes.
 
 === Generating Passphrases
-A passphrase is a sequence of words or other text used to control access to your applications and data. A passphrase is similar to a password in usage, but is generally longer for added security. To generate the random passphrase using Password Generator, perform the following steps:
+A passphrase is a sequence of words or other text used to control access to your applications and data. A passphrase is specifically designed to be simple to remember but hard to guess. For this reason, we do not recommend making passphrases too complex; if you require something that is more complex than you could easily remember, it is better to use a randomly generated password instead.
 
 1. From the password generator, click the Passphrase tab. The following screen appears:
 +
@@ -38,9 +37,10 @@ image::passphrase_generator.png[]
 
 2. Select the number of words you want to be included in your passphrase by dragging the
 Word Count slider.
-3. In the Word Separator field, enter a character, word, number, or space that you want to use a separator between the words in your passphrase.
+3. In the Word Separator field, enter a character, word, number, or space that you want to use as a separator between the words in your passphrase.
+4. _(Optional)_ You can choose a word case between lower, upper, and title case options.
+5. _(Optional)_ You can also load your own custom word lists. Click the plus sign button to the right of the wordlist selection dialog to choose a custom word list. You can download alternative lists from the https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases[EFF's Website] or from https://github.com/redacted/XKCD-password-generator#additional-languages[GitHub].
 4. Click the Regenerate button (Ctrl + R) to generate a new random passphrase.
 5. Click the Clipboard button (Ctrl + C) to copy the passphrase to the clipboard.
-6. When generating a password for an entry, click the Apply Password button (Ctrl + S or Ctrl + Enter) to close the window and apply your changes.
 // end::advanced[]
 // end::content[]

docs/topics/Reference.adoc

@@ -17,7 +17,7 @@ This section contains full details on advanced features available in KeePassXC.
 |{URL}           |URL
 |{NOTES}         |Notes
 |{TOTP}          |Current TOTP value (if configured)
-|{S:<ATTRIBUTE_NAME>}   |Value for the given attribute (case sensitive)
+|{S:&lt;ATTRIBUTE_NAME&gt;}   |Value for the given attribute (case sensitive)
 |{URL:RMVSCM}	        |URL without scheme (e.g., https)
 |{URL:WITHOUTSCHEME}	|URL without scheme
 |{URL:SCM}	     |URL Scheme
@@ -49,9 +49,9 @@ This section contains full details on advanced features available in KeePassXC.
 
 === Entry Cross-Reference
 A reference to another entry's field is possible using the short-hand syntax:
-`{REF:<FIELD>@<SEARCH_IN>:<SEARCH_TEXT>}`
+`{REF:&lt;FIELD&gt;@&lt;SEARCH_IN&gt;:&lt;SEARCH_TEXT&gt;}`
 
-`<FIELD>` and `<SEARCH_IN>` can be one of following:
+`&lt;FIELD&gt;` and `&lt;SEARCH_IN&gt;` can be one of following:
 
 * T - Title
 * U - Username
@@ -77,7 +77,7 @@ Examples: +
 |{UP}, {DOWN}, {LEFT}, {RIGHT}  |Press the corresponding arrow key
 |{F1}, {F2}, ..., {F16}         |Press F1, F2, etc.
 |{LEFTBRACE}, {RIGHTBRACE}      |Press `{` or `}`, respectively
-|{<KEY> X}  |Repeat <KEY> X times (e.g., {SPACE 5} inserts five spaces)
+|{&lt;KEY&gt; X}  |Repeat &lt;KEY&gt; X times (e.g., {SPACE 5} inserts five spaces)
 |{DELAY=X}     |Set delay between key presses to X milliseconds
 |{DELAY X}     |Pause typing for X milliseconds
 |{CLEARFIELD}  |Clear the input field
@@ -86,9 +86,9 @@ Examples: +
 
 *Text Conversions:*
 
-*{T-CONV:/<PLACEHOLDER>/<METHOD>/}* +
+`{T-CONV:/&lt;PLACEHOLDER&gt;/&lt;METHOD&gt;/}` +
 Convert resolved placeholder (e.g., {USERNAME}, {PASSWORD}, etc.) using the following methods: UPPER, LOWER, BASE64, HEX, URI, URI-DEC.
 
-*{T-REPLACE-RX:/<PLACEHOLDER>/<SEARCH>/<REPLACE>/}* +
+`{T-REPLACE-RX:/&lt;PLACEHOLDER&gt;/&lt;SEARCH&gt;/&lt;REPLACE&gt;/}` +
 Use regular expressions to find and replace data from a resolved placeholder. Refer to match groups using $1, $2, etc.
 // end::content[]

docs/topics/UserInterface.adoc

@@ -12,11 +12,13 @@ image::main_interface.png[]
 
 *(A) Groups* - Organize your entries into discrete groups to bring order to all of your sensitive information. Groups can be nested under each other to create a hierarchy. Settings from parent groups get applied to their children. You can hide this panel on the View menu.
 
-*(B) Entries* - Entries contain all the information for each website or application you are storing in KeePassXC. This view shows all the entries in the selected group. Each column can be resized, reordered, and shown or hidden based on your preference. Right click the header row to see all available options.
+*(B) Tags* - Dynamic groups of entries that can be quickly displayed with one click. Any number of custom tags can be added when editing an entry. This panel also includes useful pre-defined searches, such as finding expired and weak passwords.
 
-*\(C) Preview* - Shows a preview of the selected group or entry. You can temporarily hide this preview using the close button on the right hand side or completely disabled in the application settings.
+*\(C) Entries* - Entries contain all the information you want to store for a website or application you are storing in KeePassXC. This view shows all the entries in the selected group. Each column can be resized, reordered, and shown or hidden based on your preference. Right-click the header row to see all available options.
 
-TIP: Double clicking on the text in the entries list copies that field to the clipboard. Double clicking the entry title will open the entry for editing.
+*(D) Preview* - Shows a preview of the selected group or entry. You can temporarily hide this preview using the close button on the right hand side or completely disabled in the application settings.
+
+TIP: You can enable double-click copying of entry username and password in the Application Security Settings. This is turned off by default starting with version 2.7.0.
 
 === Toolbar
 The toolbar provides a quick way to perform common tasks with your database. Some entries in the toolbar are dynamically disabled based on the information contained in the selected entry. Every common action in KeePassXC can be controlled with a keyboard shortcut as well.
@@ -24,12 +26,11 @@ The toolbar provides a quick way to perform common tasks with your database. Som
 .Toolbar overview
 image::toolbar.png[]
 
-*(A) Database* - Open Database, Save Database +
-*(B) Entries* - Create Entry, Edit Selected Entry, Delete Selected Entry +
+*(A) Database* - Open Database, Save Database, Lock Database +
+*(B) Entries* - Create Entry, Edit Entry, Delete Selected Entries +
 *\(C) Entry Data* - Copy Username, Copy Password, Copy URL, Perform Auto-Type +
-*(D) Lock All Databases* +
-*(E) Tools* - Password Generator, Application Settings +
-*(F) Search*
+*(D) Tools* - Password Generator, Application Settings +
+*(E) Search*
 
 === Application Settings
 Users can configure KeePassXC to their personal tastes with a wide variety of general and security settings that apply to the whole application. These settings are accessible from _Tools_ -> _Settings_ or the cog wheel icon from the toolbar. Settings include: startup options, file management, entry management, user interface, language, security timeouts, and convenience.
@@ -46,13 +47,8 @@ For users with smaller screens or those who desire seeing more entries at once,
 .Compact mode comparison
 image::compact_mode_comparison.png[]
 
-==== Copy entry Columns on Double Click
-KeePassXC offers the possibility of copying certain entry columns, such as username and password, into your clipboard on double click, for a limited period of time.
-
-This feature can be enabled by checking the box "Enable double click to copy some entry columns" in the security settings:
-
-.Enable copying on double click
-image::enable_copy_dc.png[]
+=== Screenshot Security
+By default, KeePassXC prevents recordings and screenshots of the application window on Windows and macOS. This prevents inadvertent spillage of information during meetings and disallows other applications to capture the window contents. If you would like to enable screen capture, you must start the application with the `--allow-screencapture` command line flag.
 
 === Keyboard Shortcuts
 include::KeyboardShortcuts.adoc[tag=content, leveloffset=+1]
@@ -71,9 +67,11 @@ Options:
   -v, --version                Displays version information.
   --config <config>            path to a custom config file
   --localconfig <localconfig>  path to a custom local config file
+  --lock                       lock all open databases
   --keyfile <keyfile>          key file of the database
   --pw-stdin                   read password of the database from stdin
   --debug-info                 Displays debugging information.
+  --allow-screencapture        Allow screen recording and screenshots
 
 Arguments:
   filename(s)                  filenames of the password databases to open (*.kdbx)