keepassxc - Documentation

Link to this headingKeepass

Link to this headingCLI

Create Database:

>>> keepassxc-cli db-create ~/test.kdbx -p Enter password to encrypt database (optional): Repeat password: Successfully created new database.

Add to the database:

#Add a new folder to the database >>> keepassxc-cli mkdir ~/test.kdbx production Enter password to unlock /home/generalzero/test.kdbx: Successfully added group production. #Add a new entry into the database >>> keepassxc-cli add --generate ~/test.kdbx "production/test" Enter password to unlock /home/generalzero/test.kdbx: Successfully added entry test.

Show Entry:

>>> keepassxc-cli show ~/test.kdbx "production/test" -s Enter password to unlock /home/generalzero/test.kdbx: Title: test UserName: Password: Password123! URL: Notes: Uuid: {77118fc5-0353-4bd5-8319-0f8b0ea9f337} Tags:

Open Database:

test.kdbx> edit docker/dev/vikunja/database_root -p Enter new password for entry: Successfully edited entry database_root. test.kdbx> edit docker/dev/vikunja/database_root -u root Successfully edited entry database_root. test.kdbx> show docker/dev/vikunja/database_root Title: database_root UserName: root Password: password URL: Notes: Uuid: {f42ba709-9938-4ff5-af00-299d7ed3bd28} Tags: test.kdbx>

Link to this headingScript to set env from database

Script to use:

#!/bin/bash # Default KeePass database path KEEPASS_DB="$HOME/Keepass/Password.kdbx" KEEPASS_CLI="keepassxc-cli" # Function to fetch secrets from KeePass fetch_secret() { local entry="$1" local attribute="${2:-password}" # default to 'password' if not specified local secret secret=$($KEEPASS_CLI show "$KEEPASS_DB" "$entry" -a "$attribute" <<< "${KEEPASS_PASS}" 2>/dev/null) if [[ -z "$secret" ]]; then echo "Error: Could not find '$attribute' for entry '$entry'" >&2 return 1 fi echo "$secret" } # Load secrets into environment variables load_env_secrets() { while IFS='=' read -r key value; do if [[ "$value" =~ ^kp://([^@]+)(@([a-zA-Z0-9_-]+))?$ ]]; then secret_entry="${BASH_REMATCH[1]}" secret_field="${BASH_REMATCH[3]:-password}" # default to password if not specified secret_value=$(fetch_secret "$secret_entry" "$secret_field") export "$key"="$secret_value" else export "$key"="$value" fi done < <(env | grep -E '^[A-Z0-9_]+=kp://') } # Handle 'kp read <entry[@field]>' behavior if [[ "$1" == "read" && -n "$2" ]]; then ENTRY="${2%@*}" FIELD="${2#*@}" if [[ "$ENTRY" == "$FIELD" ]]; then FIELD="password" fi read -s -p "Enter KeePass database password: " KEEPASS_PASS echo "" fetch_secret "$ENTRY" "$FIELD" exit $? fi # Handle 'kp inject --template=... --output=...' if [[ "$1" == "inject" ]]; then shift TEMPLATE_FILE="" OUTPUT_FILE="" while [[ $# -gt 0 ]]; do case "$1" in --template=*) TEMPLATE_FILE="${1#--template=}" ;; --output=*) OUTPUT_FILE="${1#--output=}" ;; esac shift done if [[ ! -f "$TEMPLATE_FILE" ]]; then echo "Error: Template file '$TEMPLATE_FILE' not found!" exit 1 fi read -s -p "Enter KeePass database password: " KEEPASS_PASS echo "" # Replace {{kp://Entry@field}} or {{kp://Entry}} with fetched secrets OUTPUT=$(<"$TEMPLATE_FILE") while [[ "$OUTPUT" =~ \{\{kp://([^@}]+)(@([a-zA-Z0-9_-]+))?\}\} ]]; do ENTRY="${BASH_REMATCH[1]}" FIELD="${BASH_REMATCH[3]:-password}" VALUE=$(fetch_secret "$ENTRY" "$FIELD") OUTPUT="${OUTPUT//${BASH_REMATCH[0]}/$VALUE}" done echo "$OUTPUT" > "$OUTPUT_FILE" echo "Secrets injected into '$OUTPUT_FILE'" exit 0 fi # Prompt for KeePass password securely read -s -p "Enter KeePass database password: " KEEPASS_PASS echo "" # Parse arguments for --env-file=<file> and --db=<file> ENV_FILE="" NEW_ARGS=() PARSE_ARGS=true for arg in "$@"; do if $PARSE_ARGS; then case "$arg" in --env-file=*) ENV_FILE="${arg#--env-file=}" ;; --db=*) KEEPASS_DB="${arg#--db=}" if [[ ! -f "$KEEPASS_DB" ]]; then echo "Error: KeePass database '$KEEPASS_DB' not found!" exit 1 fi ;; --) PARSE_ARGS=false ;; *) NEW_ARGS+=("$arg") ;; esac else NEW_ARGS+=("$arg") fi done # Use default .env if no --env-file was passed if [[ -z "$ENV_FILE" && -f .env ]]; then ENV_FILE=".env" fi # Load env file if found if [[ -n "$ENV_FILE" ]]; then if [[ -f "$ENV_FILE" ]]; then export $(grep -v '^#' "$ENV_FILE" | xargs) else echo "Error: .env file '$ENV_FILE' not found!" exit 1 fi fi # Replace env variables with KeePass secrets load_env_secrets # Ensure there is a command to execute if [[ ${#NEW_ARGS[@]} -eq 0 ]]; then echo "Error: No command provided to execute." exit 1 fi # Run the specified command with injected environment exec "${NEW_ARGS[@]}"

Run example:

>>> cat .env KEEPASS_TEST_OUTPUT="kp://production/test" >>> ~/kp-run.sh --db=/home/generalzero/test.kdbx --env-file=".env" -- env G KEE Enter KeePass database password: KEEPASS_TEST_OUTPUT=Password123! >>> ~/.bin/kp-run.sh --db=/home/generalzero/test.kdbx -- sudo -E docker-compose up

Template Examples:

>>> cat test_config.ini [[users]] {{kp://docker/dev/database_root@username}}={{kp://docker/dev/database_root@password}} >>> kp-run.sh inject --template=test_config.ini --output=config.ini Enter KeePass database password: Secrets injected into 'config.ini' >>> cat config.ini [[users]] root=password123!