What our customers say about Team Password Manager

Files in passwords and projects

Current Team Password Manager version: 12.160.277

Beginning in version 2.9.18, Team Password Manager allows users to upload files in passwords and projects.

Since v. 12.160.277, files can also be uploaded into personal passwords.

These are some of the features of file uploads:

  • You can upload any number of files to a password or a project.
  • Only users with permission to edit a password or project can upload files to it.
  • Only users with access to a password or project can download files from it.
  • Files are saved encrypted (their name and content).
  • You can configure the uploads folder to be located wherever you want in the server folder structure.
  • The maximum file size can be adjusted using PHP settings.
  • If your browser has Javascript enabled and supports HTML5 FormData, a progress bar will show the uploading progress.

These are the sections on this page:

  1. How to upload files to passwords and projects
  2. How to download files from passwords and projects
  3. Admin stuff: how to change the maximum file size
  4. Admin stuff: the uploads folder
  5. Admin stuff: allowed extensions

How to upload files to passwords and projects

Uploading files to passwords and projects is very easy:

  1. Go to the password or project you want to upload a file to
  2. Press "Upload file". You'll be taken to the upload file screen. If you don't see this button it means you can't edit the password or project, so you can't upload files to it.
  3. Select the file you want to upload. You can see the maximum file size below the file select button.
  4. Enter some notes if you want. You can always change these notes later if you want.
  5. Press upload. When the upload process finishes you'll be taken to the "Files" tab in the password or project.

* Note: you'll only see the progress bar if your browser has Javascript enabled and supports HTML5 FormData.

The following screenshot shows a file upload in progress:

Uploading a file

How to download files from passwords and projects

Downloading is even easier than uploading. Just go to the password or project you want to download a file from, select the "Files" tab (if you don't see this tab, it means that the password/project doesn't have files) and click the "Download" button for the file you want to download.

The following screenshot shows the "Files" tab of a password with one file:

Files tab of a password

Admin stuff: how to change the maximum file size

Team Password Manager uses PHP file uploads to upload files, so you need to configure the maximum file size allowed by setting some PHP directives in php.ini. These are:

  • upload_max_filesize: the maximum size of an uploaded file.
  • post_max_size: when uploading files, you're posting a form, this is the max size of post data allowed. In Team Password Manager it includes the size of notes field. It should be larger than upload_max_filesize, specially for large files.
  • memory_limit: the maximum amount of memory in bytes that a script is allowed to allocate. It should be larger than post_max_size.

Example: to set the upload maximum file size to 32 Mb, you can set the previous directives to:

upload_max_filesize = 32M
post_max_size = 33M
memory_limit = 128M

When uploading a file, Team Password Manager checks these values and shows the lowest of the three in the "Maximum file size" label below the "Select file" button.

Chek also the following PHP doc: http://www.php.net/manual/en/ini.core.php#ini.post-max-size.

Admin stuff: the uploads folder

Files uploaded to Team Password Manager are stored in the uploads folder. This section explains some things you should know about this folder.

Folder location and permissions

By default, the uploads folder is located at the same level as index.php. You can change this location with the UPLOADS_FOLDER setting in config.php. You can do this in two ways:

  • With an absolute path. Example: /var/www/domain/uploads/, or
  • With a relative path (relative to index.php). Example: ../uploads/


define('UPLOADS_FOLDER' , '../uploads/');

For security, we recommend that you locate the uploads folder out of the public folder of you installation. For instance, you can locate it right above it by setting it to '../uploads/'.

Team Password Manager creates and deletes files and folders in the uploads folder, so you should give it read and write permissions for the web server. Team Password Manager will check these permissions before uploading any file, and will prevent file uploads if the permissions are not appropriate.


The uploads folder bundled in the installation files includes an .htaccess file to enforce the Apache web server to force the files to be downloaded (without running them) and to prevent directory listing:

# Enforces Apache to serve all files with an attachment header to force a download dialog,
# preventing Apache to run any of the uploaded files through an interpreter like PHP,
# even if the file extension is ".php".
ForceType application/octet-stream
Header set Content-Disposition attachment
Header set X-Content-Type-Options nosniff

# Prevents directory listing
Options -Indexes

How files are stored

If you upload some files and then take a look at the uploads folder, you'll see a bunch of folders and files with meaningless letters and numbers. Also, if you try to open any of the uploaded files, you'll only see garbage. Don't panic!

Team Password Manager stores the uploaded files encrypted. It encrypts the filename and the content using the same method it uses to encrypt the fields of a password. So, you'll only be able to get (download) the unencrypted files through Team Password Manager itself, making it a secure vault for your organization's files.

Admin stuff: allowed extensions

By default you can upload any file to Team Password Manager. Since version 12.143.260, you can limit the files to upload by extension. To do it, use the UPLOADS_EXTENSIONS setting in config.php, where you can list the extensions you want to limit the uploaded files to. For example:

define('UPLOADS_EXTENSIONS', 'jpg, zip');

This will only allow files with extensions jpg and zip to be uploaded. This setting also affects the API since v. 12.146.268.

More information: UPLOADS_EXTENSIONS.

Document changelog

Feb 15, 2024: Since v. 12.160.277, files can also be uploaded into personal passwords.
Jul 12, 2023: UPLOADS_EXTENSIONS also affects the API since v. 12.146.268
May 30, 2023: Admin stuff: allowed extensions
Questions or Problems? Please contact our support department