Keepassxc: Change database credentials from keepassxc-cli

Created on 1 Jul 2020  路  3Comments  路  Source: keepassxreboot/keepassxc

Summary

I would like to propose the ability to reencrypt a keepass database using keepassxc-cli. Currently, the only way to change the password, change the key file, add a key file, add a yubikey, etc. is to open the database in the UI and change it there. I would like to be able to perform these actions via CLI.

Examples

$ keepassxc-cli change-credentials --keyfile=/path/to/existing/key --new-keyfile=/path/to/new/key --leave-password /path/to/database

Something like above would be able to change the key file and leave the password intact. If you omitted the --leave-password, the terminal would prompt for the new password twice.

Context

This is important for automation of rotating database credentials

new feature CLI
Source
picture wgordon17
👍1

Most helpful comment

One way to do it would be to use both the export and then the import CLI commands, although it won't be possible to set the key file on import until this PR is merged. This solution is not ideal if you are concerned about the unencrypted database being exported, even if it's piped back directly to the program using import.

I think what we need is a db-edit command (just like we have a db-create and db-show command) to modify both the encryption parameters of the database, and other meta fields like the db name and description.

picture louib on 13 Sep 2020
👍2

All 3 comments

One way to do it would be to use both the export and then the import CLI commands, although it won't be possible to set the key file on import until this PR is merged. This solution is not ideal if you are concerned about the unencrypted database being exported, even if it's piped back directly to the program using import.

I think what we need is a db-edit command (just like we have a db-create and db-show command) to modify both the encryption parameters of the database, and other meta fields like the db name and description.

louib picture louib on 13 Sep 2020
👍2

I have a question considering credential prompts for changing the database credentials in the cli-feature wanted in this PR.

Currently as of keepassxc version 2.6.1 when we consider the behaviour of the GUI the user needs to login initially once
into his database with attached password and/or keyfile to be able to edit/remove his credentials.
Will there be a design choice to prompt an additional time in order to be able to (e.g.) change/remove the database password ?

And considering the CLI behaviour, as @louib suggested with a db-edit command, should the user be prompted to enter his attached password and/or keyfile in order to be able to change these credentials on his database ?

Colfenor picture Colfenor on 11 Oct 2020

For the first point, there is no sense in asking for credentials again to change them. The database is unlocked, you've authenticated already. For point two, you wouldn't be able to use the db-edit command without entering the credentials.

droidmonkey picture droidmonkey on 11 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nfnty picture nfnty  路  3Comments
clementlesne picture clementlesne  路  3Comments
rugk picture rugk  路  3Comments
shyim picture shyim  路  3Comments
n1trux picture n1trux  路  3Comments