keepassxc-cli passwords as parameters

[dawidol]

Summary

Hi :)

We are working on a web applicaction and we want to storage sensitive information in a kdbx file, we are trying to use keepassxc-cli to achieve this, but it looks like there is no way to send password as parameters without the terminal prompt

Examples

Create a new Database
keepassxc-cli create -p "SomePassword" /path/to/file
keepassxc-cli add -p "SomePasswordForAnEntry" /path/to/File entry

Context

Any lights on how to achieve this will be very helpful.

Thanks

[droidmonkey]

You need to pipe the password into stdin.

[dawidol]

Hi, thanks @droidmonkey
Indeed that did the job for creating de database:

echo InsecurePassword |keepassxc-cli create file.kdbx

but if I want to add a new entry I need to send first the database password and after that the password for the new entry. Any idea on how to send 2 consecutive strings to stdin.

Thanks again

[droidmonkey]

Use printf and add a newline in between. https://linuxize.com/post/bash-printf-command/

I'm not sure why we don't have a password parameter. It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?

For entry creation we definitely encourage using the generator options to make a new random password. You can retrieve it later using show command.

[dawidol]

Thaks @droidmonkey

Yes we are generating passwords on several parts, there is only one place when we want the user have the hability to write a password or choose to generate.

Also printf with a new line, creates the new entry but leave the password as an empty value, this is the command i put:
printf "InsecureDBPassword\nNewPassword" |keepassxc-cli add file.kdbx newEntry
Thanks again

[droidmonkey]

You'll need to enter the password twice (pw\npw\n) since there is a confirmation step.

[louib]

I'm not sure why we don't have a password parameter. It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?

I think the main reason why we don't have a parameter for that is because we underestimated how much people would rely on the CLI as a secure database backend. If both piping and parameters end up in the shell history, I guess we could add both for convenience. We might want to better highlight that those invocations might be logged though.

[dawidol]

Thanks @droidmonkey looks like is not working for me, here is a screenshot.

thanks again

[droidmonkey]

You need to add "-p" to the add command to prompt for password. Recommend reading the help for the commands.

[dawidol]

I did try with "-p" option and didnt work, here is the output

[strk]

The stdin way works for me, with 2.6.1
I'm missing the database parameter, but that's another story :)

[phoerious]

It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?

I know that comment is older, but just to clarify: Providing passwords on the command line is bad practice because it will be stored in your shell history and appear for all users in the list of processes (unless you have user-level process namespacing turned on, but even then it's bad and root can always see your password). Piping is always the better option therefore, since pipe contents never appear in the process cmdline. Shell history recording can be easily avoided as well by simply piping from a file or some other source instead of typing it literally into the shell. On the cmdline, your only option is to prefix your command with a space and that's very shell-specific.