1
// Copyright (C) 2017 Manolis Agkopian <m.agkopian@gmail.com>
2
// Copyright (C) 2020 KeePassXC Team <team@keepassxc.org>
4
// This program is free software: you can redistribute it and/or modify
5
// it under the terms of the GNU General Public License as published by
6
// the Free Software Foundation, either version 2 or (at your option)
7
// version 3 of the License.
9
// This program is distributed in the hope that it will be useful,
10
// but WITHOUT ANY WARRANTY; without even the implied warranty of
11
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
// GNU General Public License for more details.
14
// You should have received a copy of the GNU General Public License
15
// along with this program. If not, see <http://www.gnu.org/licenses/>.
18
KeePassXC Team <team@keepassxc.org>
21
:mansource: KeePassXC {revnumber}
22
:manmanual: General Commands Manual
25
keepassxc-cli - command line interface for the KeePassXC password manager
28
*keepassxc-cli* _command_ [_options_]
31
*keepassxc-cli* is the command line interface for the *KeePassXC* password manager.
32
It provides the ability to query and modify the entries of a KeePass database, directly from the command line.
35
*add* [_options_] <__database__> <__entry__>::
36
Adds a new entry to a database.
37
A password can be generated (*-g* option), or a prompt can be displayed to input the password (*-p* option).
38
The same password generation options as documented for the generate command can be used when the *-g* option is set.
40
*analyze* [_options_] <__database__>::
41
Analyzes passwords in a database for weaknesses using offline HIBP SHA-1 hash lookup.
43
*attachment-export* [_options_] <__database__> <__entry__> <__attachment_name__> <__export_file__>::
44
Exports the content of an attachment to a specified file.
45
Use *--stdout* option to instead output the contents of the attachment to stdout.
47
*attachment-import* [_options_] <__database__> <__entry__> <__attachment_name__> <__import_file__>::
48
Imports the attachment into an entry.
49
An existing attachment with the same name may be overwritten if the *-f* option is specified.
51
*attachment-rm* <__database__> <__entry__> <__attachment_name__>::
52
Removes the named attachment from an entry.
54
*clip* [_options_] <__database__> <__entry__> [_timeout_]::
55
Copies an attribute or the current TOTP (if the *-t* option is specified) of a database entry to the clipboard.
56
If no attribute name is specified using the *-a* option, the password is copied.
57
If multiple entries with the same name exist in different groups, only the attribute for the first one is copied.
58
For copying the attribute of an entry in a specific group, the group path to the entry should be specified as well, instead of just the name.
59
Optionally, a timeout in seconds can be specified to automatically clear the clipboard, the default timeout is 10 seconds, set to 0 to disable.
62
In interactive mode, closes the currently opened database (see *open*).
64
*db-create* [_options_] <__database__>::
65
Creates a new database with a password and/or a key file.
66
The key file will be created if the file that is referred to does not exist.
67
If both the key file and password are empty, no database will be created.
69
*db-edit* [_options_] <__database__>::
71
When setting a key file, the key file will be created if the file that is referred to
74
*db-info* [_options_] <__database__>::
75
Show a database's information.
77
*diceware* [_options_]::
78
Generates a random diceware passphrase.
80
*edit* [_options_] <__database__> <__entry__>::
81
Edits a database entry.
82
A password can be generated (*-g* option), or a prompt can be displayed to input the password (*-p* option).
83
The same password generation options as documented for the generate command can be used when the *-g* option is set.
85
*estimate* [_options_] [_password_]::
86
Estimates the entropy of a password.
87
The password to estimate can be provided as a positional argument, or using the standard input.
90
Exits interactive mode.
91
Synonymous with *quit*.
93
*export* [_options_] <__database__>::
94
Exports the content of a database to standard output in the specified format (defaults to XML).
96
*generate* [_options_]::
97
Generates a random password.
100
Displays a list of available commands, or detailed information about the specified command.
102
*import* [_options_] <__xml__> <__database__>::
103
Imports the contents of an XML exported database to a new created database
104
with a password and/or key file.
105
The key file will be created if the file that is referred to does not exist.
106
If both the key file and password are empty, no database will be created.
107
The new database will be in kdbx 4 format.
109
*ls* [_options_] <__database__> [_group_]::
110
Lists the contents of a group in a database.
111
If no group is specified, it will default to the root group.
113
*merge* [_options_] <__database1__> <__database2__>::
114
Merges two databases together.
115
The first database file is going to be replaced by the result of the merge, for that reason it is advisable to keep a backup of the two database files before attempting a merge.
116
In the case that both databases make use of the same credentials, the *--same-credentials* or *-s* option can be used.
118
*mkdir* [_options_] <__database__> <__group__>::
119
Adds a new group to a database.
121
*mv* [_options_] <__database__> <__entry__> <__group__>::
122
Moves an entry to a new group.
124
*open* [_options_] <__database__>::
125
Opens the given database in a shell-style interactive mode.
126
This is useful for performing multiple operations on a single database (e.g. *ls* followed by *show*).
129
Exits interactive mode.
130
Synonymous with *exit*.
132
*rm* [_options_] <__database__> <__entry__>::
133
Removes an entry from a database.
134
If the database has a recycle bin, the entry will be moved there.
135
If the entry is already in the recycle bin, it will be removed permanently.
137
*rmdir* [_options_] <__database__> <__group__>::
138
Removes a group from a database.
139
If the database has a recycle bin, the group will be moved there.
140
If the group is already in the recycle bin, it will be removed permanently.
142
*search* [_options_] <__database__> <__term__>::
143
Searches all entries that match a specific search term in a database.
145
*show* [_options_] <__database__> <__entry__>::
146
Shows the title, username, password, URL and notes of a database entry.
147
Can also show the current TOTP.
148
Regarding the occurrence of multiple entries with the same name in different groups, everything stated in the *clip* command section also applies here.
153
Displays debugging information.
155
*-k*, *--key-file* <__path__>::
156
Specifies a path to a key file for unlocking the database.
157
In a merge operation this option, is used to specify the key file path for the first database.
160
Deactivates the password key for the database.
162
*-y*, *--yubikey* <__slot[:serial]__>::
163
Specifies a yubikey slot for unlocking the database.
164
In a merge operation this option is used to specify the YubiKey slot for the first database.
166
*-q*, *--quiet* <__path__>::
167
Silences password prompt and other secondary outputs.
170
Displays help information.
173
Displays the program version.
176
*-d*, *--dry-run* <__path__>::
177
Prints the changes detected by the merge operation without making any changes to the database.
179
*--key-file-from* <__path__>::
180
Sets the path of the key file for the second database.
182
*--no-password-from*::
183
Deactivates password key for the database to merge from.
185
*--yubikey-from* <__slot[:serial]__>::
186
YubiKey slot for the second database.
188
*-s*, *--same-credentials*::
189
Uses the same credentials for unlocking both databases.
191
=== Add and edit options
192
The same password generation options as documented for the generate command can be used with those 2 commands when the *-g* option is set.
194
*-u*, *--username* <__username__>::
195
Specifies the username of the entry.
198
Specifies the URL of the entry.
200
*--notes* <__notes__>::
201
Specifies the notes of the entry.
203
*-p*, *--password-prompt*::
204
Uses a password prompt for the entry's password.
207
Generates a new password for the entry.
210
*-t*, *--title* <__title__>::
211
Specifies the title of the entry.
215
Performs advanced analysis on the password.
218
*-H*, *--hibp* <__filename__>::
219
Checks if any passwords have been publicly leaked, by comparing against the given list of password SHA-1 hashes, which must be in "Have I Been Pwned" format.
220
Such files are available from https://haveibeenpwned.com/Passwords;
221
note that they are large, and so this operation typically takes some time (minutes up to an hour or so).
223
*--okon* <__okon-cli path__>::
224
Use the specified okon-cli program to perform offline breach checks. You can obtain okon-cli from https://github.com/stryku/okon.
225
When using this option, *-H, --hibp* must point to a post-processed okon file (e.g. file.okon).
229
Copies the specified attribute to the clipboard.
230
If no attribute is specified, the password attribute is the default.
231
For example, "*-a* *username*" would copy the username to the clipboard.
235
Copies the current TOTP instead of the specified attribute to the clipboard.
236
Will report an error if no TOTP is configured for the entry.
239
Try to find and copy to clipboard a unique entry matching the input
240
If a unique matching entry is found it will be copied to the clipboard.
241
If multiple entries are found they will be listed to refine the search. (no clip performed)
243
=== Db-create, Db-edit and Import options
244
*--set-key-file* <__path__>::
245
Set the key file for the database.
247
*-p*, *--set-password*::
248
Set a password for the database.
250
=== Db-create, Import options
251
*-t*, *--decryption-time* <__time__>::
252
Target decryption time in MS for the database.
255
*--unset-password* <__path__>::
256
Removes the password for the database.
258
*--unset-key-file* <__path__>::
259
Removes the key file for the database.
262
*-a*, *--attributes* <__attribute__>...::
263
Shows the named attributes.
264
This option can be specified more than once, with each attribute shown one-per-line in the given order.
265
If no attributes are specified and *-t* is not specified, a summary of the default attributes is given.
266
Protected attributes will be displayed in clear text if specified explicitly by this option.
269
Show all the attributes of the entry.
271
*-s*, *--show-protected*::
272
Shows the protected attributes in clear text.
274
*--show-attachments*::
275
Shows the attachment names along with the size of the attachments.
278
Also shows the current TOTP, reporting an error if no TOTP is configured for the entry.
281
*-W*, *--words* <__count__>::
282
Sets the desired number of words for the generated passphrase.
285
*-w*, *--word-list* <__path__>::
286
Sets the Path of the wordlist for the diceware generator.
287
The wordlist must have > 1000 words, otherwise the program will fail.
288
If the wordlist has < 4000 words a warning will be printed to STDERR.
289
Any *diceware*-compatible wordlist can be used. Note however that *KeePassXC* will NOT verify the PGP signature of signed wordlists.
293
Format to use when exporting.
294
Available choices are xml or csv.
299
Recursively lists the elements of the group.
302
Flattens the output to single lines.
303
When this option is enabled, subgroups and subentries will be displayed with a relative group path instead of indentation.
306
*-L*, *--length* <__length__>::
307
Sets the desired length for the generated password.
311
Uses lowercase characters for the generated password.
315
Uses uppercase characters for the generated password.
319
Uses numbers characters for the generated password.
323
Uses special characters for the generated password.
327
Uses extended ASCII characters for the generated password.
330
*-x*, *--exclude* <__chars__>::
331
Comma-separated list of characters to exclude from the generated password.
332
None is excluded by default.
335
Exclude similar looking characters.
339
Include characters from every selected group.
342
include::includes/section-notes.adoc[]
345
This manual page was originally written by Manolis Agkopian <m.agkopian@gmail.com>.
347
include::includes/section-reporting-bugs.adoc[]
349
include::includes/section-copyright.adoc[]