kpsh(1) | General Commands Manual | kpsh(1) |
kpsh - command line password manager
kpsh [OPTIONS] [DATABASE]
kpsh [--command <COMMAND>...] [OPTIONS] [DATABASE]
command | kpsh [OPTIONS] [DATABASE]
kpsh --daemon [OPTIONS] [DATABASE]
kpsh, or KeePass Shell, is a command line password manager working directly with KeePass databases.
kpsh provides an interactive shell-like REPL environment in which users may use various commands (see the "COMMANDS" section) to access and modify KeePass databases. kpsh reads user input, evaluates it, then prints responses. Shell can be closed by running exit command or by pressing ctrl+d, which sends End of File (EOF) in most shells.
Alternatively kpsh may be started with one or --command options. In this mode kpsh executes each command and then exists. This mode of work is non-interactive. It means that kpsh won't prompt user for any input, like a password to unlock a database. It should be provided in other way (see the "OPTIONS" section).
kpsh may accept commands directly to its standard input, for example by piping them to it. Many commands may be passed to kpsh by putting each one in a separate line. This mode is non-interactive as well.
kpsh also implements a "daemon mode", enabled with --daemon flag. In this mode kpsh waits for commands from external clients and communicates directly with them (see kpsh-client(1) and kpsh-menu(1)).
The only argument which kpsh accepts is DATABASE: a KeePass database on which commands should be performed. It can be changed at any time by running open command.
-h, --help
--password PASSWORD
--password-command PASSWORD_COMMAND
Commands are executed through a subshell started with a "sh -c". It means that PASSWORD_COMMAND accepts any commands format which shell would accept (for example command piping).
See also the "AUTOMATIC DATABASE UNLOCKING" section.
--keyfile KEYFILE
--pinentry PROG
-c, --command COMMAND
--prompt
-d, --daemon
-s, --socket-path
add [options...] <path>
If password is neither provided with --password option, nor generated with --generate-password, kpsh will interactively ask user to type it. Empty passwords are allowed.
Options:
-u, --username USERNAME
-p, --password PASSWORD
-u, --url URL
-n, --note NOTE
-s, --autotype-sequence SEQUENCE
-t, --property PROPERTY=VALUE
Password Generation:
-g, --generate-password
-G, --generate-password-no-confirm
--letters
--digits
--logograms
--punctuation
--characters CHARACTERS
-l, --length N
autotype [options...] <path>
For auto-typing, autotype uses programs installed on a system. Choice of used programs depends on detected environment: xdotool for X11 environment and either wtype or ydotool for Wayland (NOTE: only ydotool >= 1.0 is supported).
See also https://keepass.info/help/base/autotype.html
Options:
-s, --sequence SEQUENCE
-d, --default DEFAULT_SEQUENCE
-D, --delay DELAY
-f, --force
-b, --backend BACKEND
Accepted values for BACKEND are: xdotool, ydotool, wtype.
-B, --backend-command BACKEND_COMMAND
clipboard [options...] <path> <field>
This command relies on external programs which should be installed on a system:
Options:
-c, --clear-after SECS
--no-clear
db
delete [options...] <paths...>
Options:
-r, --recursive
echo <message>
edit [options...] <path>
This command implements the same options as add command. On top of them, it adds a few options of its own.
To set password securely, without leaving a trace on your screen, use --askpass option.
Options (which not present in add command):
--askpass
-N, --delete-notes NOTES
exit
help <command>
lock
ls [glob]
move <source> <destination>
open <file>
show <path> [fields...]
Supported fields are: path, username, password, url, autotype_sequence, notes. Additionally, if field is prefixed with p:, then a custom property will be searched (for example "p:foo" shows the value of "foo" custom property").
Options:
-n, --no-field-name
sleep <seconds>
unlock
Options:
--keyfile KEYFILE
kpsh will try to unlock database on its first use when it is started with a --password or --password-command options.
Passwords passed by the --password option are insecure. They may be seen on a process list and in the shell's command history. If you can, you should avoid this option and pass a command to --password-command which securely accesses the database password.
One way to securely store and retrieve a master password is to encrypt it with a gpg and configure gpg-agent to either automatically unlock during user login a private key used for encryption, or to prompt for a password. The latter usually results in showing a graphical pinentry window.
$ echo -n 'some password' | gpg --encrypt --recipient <KEY ID> --output pass.gpg $ kpsh --password-command 'gpg --quiet --decrypt pass.gpg'
You may use system keyring (for example a gnome-keyring-daemon) to store and retrieve a master password. Most systems automatically configure keyrings to unlock during a user login, so this should effectively allow a "passwordless" database access.
$ secret-tool store --label="KeePass passwords.kdbx" keepass passwords.kdbx Password: (prompt) $ kpsh --password-command 'secret-tool lookup keepass passwords.kdbx'
You may use databases which require only a presence of Key File. kpsh accepts it via a --keyfile option.
kpsh-client(1), kpsh-menu(1)
Michał Góral <dev@goral.net.pl>
Source code: https://git.goral.net.pl/keepass-shell.git
2024-12-21 |