Skip to content

Phanfree/kdbx-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
kdbx-cli.py
kdbx-cli.py
 
 

Repository files navigation

kdbx-cli — KeePass KDBX v2.x CLI Wrapper

Secure automation for KeePass databases — add, get, list, and delete secrets via command line with password caching.

Python 3.7+ MIT License

Features

  • add — Create entries with auto-mkdir for nested groups (creates path hierarchy automatically)
  • get — Retrieve entry password/metadata (JSON output)
  • get --decrypt-to-env — Export password as shell variable for automation (eval friendly)
  • list — Show groups and entries (with --verbose for full details)
  • delete — Remove entries
  • login/logout — Cache master password for 2.5h (avoids repeated prompts)
  • Secure — Password never printed to console, cached securely
  • Zero dependencies — Uses Python stdlib + system kpcli tool

Quick Start

Requirements

  • Python 3.7+
  • kpcli (KeePass CLI tool)
  • KDBX v2.x database file

Installation

# Install kpcli (Debian/Ubuntu)
sudo apt install kpcli

# Clone this repo
git clone https://github.com/Phanfree/kdbx-cli.git
cd kdbx-cli

# Make executable
chmod +x kdbx-cli.py

# Optional: Link to PATH
sudo ln -s $(pwd)/kdbx-cli.py /usr/local/bin/kdbx-cli

Usage

Caching Password (Recommended for Batch Operations)

# Cache password (valid for 2.5 hours)
python3 kdbx-cli.py login --db mydb.kdbx --password "mypassword"

# Now subsequent commands don't need --password
python3 kdbx-cli.py list
python3 kdbx-cli.py get "services/github/token"

# Logout (clear cache immediately)
python3 kdbx-cli.py logout --db mydb.kdbx

One-Off Operations

# Single operation with password inline
python3 kdbx-cli.py get "services/github/token" --db mydb.kdbx --password "mypassword"

Common Commands

# List all groups and entries
python3 kdbx-cli.py list --db mydb.kdbx

# List with recursive entry details
python3 kdbx-cli.py list --verbose --db mydb.kdbx

# Get entry password (JSON)
python3 kdbx-cli.py get "services/github/token" --db mydb.kdbx --password "..."

# Get password as shell variable (for automation)
eval $(python3 kdbx-cli.py get "services/github/token" --decrypt-to-env GITHUB_TOKEN --password "...")

# Add new entry (creates groups if they don't exist)
python3 kdbx-cli.py add "services/github/token" "ghp_xxx" \
  --username "octocat" \
  --db mydb.kdbx --password "..."

# Delete entry
python3 kdbx-cli.py delete "services/github/token" --db mydb.kdbx --password "..."

Environment Variables

# Set default database path
export KDBX_DATABASE="/path/to/my.kdbx"

# Now --db is optional
python3 kdbx-cli.py list --password "..."

# Set password (NOTE: security risk, use caching instead!)
export KDBX_PASSWORD="mypassword"

# Both optional now
python3 kdbx-cli.py list

Output Formats

All commands return JSON (except --decrypt-to-env):

# list
{
  "groups": ["accounts", "services"],
  "entries": [
    {
      "path": "/services/github/token",
      "title": "token"
    }
  ]
}

# get (JSON)
{
  "title": "token",
  "username": "octocat",
  "password": "ghp_xxx",
  "url": "",
  "notes": ""
}

# get --decrypt-to-env VAR (Shell export)
export GITHUB_TOKEN='ghp_xxx'

# add/delete (Status)
{
  "status": "ok",
  "path": "/services/github/token"
}

# error
{
  "error": "Entry not found: services/missing/token"
}

Security Notes

Dos:

  • ✅ Use login to cache password for batch operations
  • ✅ Use --decrypt-to-env for automation pipelines
  • ✅ Let cache auto-expire (2.5h TTL)
  • ✅ Store database files with restricted permissions (chmod 600)

Don'ts:

  • ❌ Never hardcode password in scripts
  • ❌ Never echo passwords to console
  • ❌ Never set KDBX_PASSWORD env var (defeats caching purpose)
  • ❌ Never write secrets to temporary files

Workflow Examples

GitOps: Inject GitHub Token

# Cache password once
python3 kdbx-cli.py login --db secrets.kdbx --password "..."

# Use token for git operations
eval $(python3 kdbx-cli.py get "services/github/token" --decrypt-to-env GITHUB_TOKEN)
gh auth login --with-token < <(echo $GITHUB_TOKEN)

# Cleanup
unset GITHUB_TOKEN

Docker: Pass API Keys as Environment

# Get Groq API key
eval $(python3 kdbx-cli.py get "services/groq/api-key" --decrypt-to-env GROQ_API_KEY)

# Run container with secret
docker run -e GROQ_API_KEY="$GROQ_API_KEY" myapp:latest

# Cleanup
unset GROQ_API_KEY

Adding New Secrets

# Create entry with username
python3 kdbx-cli.py add "services/newapi/token" "secret123" \
  --username "[email protected]" \
  --db secrets.kdbx --password "..."

# Verify it was added
python3 kdbx-cli.py get "services/newapi/token" --db secrets.kdbx --password "..."

Technical Details

PTY Session Handling: The script uses separate PTY sessions for stability:

  • Session 1: Create missing directory structure (groups)
  • Session 2: Create entry in clean environment

This avoids terminal state corruption during interactive prompts.

Cache Storage:

  • Location: ~/.cache/kdbx-cli/<db-hash>.cache
  • Format: Secure hash + timestamp
  • TTL: 2.5 hours from last access
  • Auto-cleanup: Expired caches are deleted on logout

Error Handling: All errors return JSON with "error" key, making it easy to parse in scripts.

Troubleshooting

"Cannot unlock database"

  • Wrong master password
  • Corrupted KDBX file
  • Verify: file secrets.kdbx should show "KeePass password database"

"Entry not found"

  • Path is case-sensitive
  • Use list to verify exact path
  • Example: services/GitHub/tokenservices/github/token

"kpcli not found"

  • Install: sudo apt install kpcli
  • Or set: KPCLI_PATH=/path/to/kpcli

"Permission denied" on cache

  • Check: ls -la ~/.cache/kdbx-cli/
  • Fix: chmod 700 ~/.cache/kdbx-cli/

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages