1KEEPASSXC-CLI(1) General Commands Manual KEEPASSXC-CLI(1)
2
3
4
6 keepassxc-cli - command line interface for the KeePassXC password man‐
7 ager.
8
9
11 keepassxc-cli command [ -I options ]
12
13
15 keepassxc-cli is the command line interface for the KeePassXC password
16 manager. It provides the ability to query and modify the entries of a
17 KeePass database, directly from the command line.
18
19
21 add [options] <database> <entry>
22 Adds a new entry to a database. A password can be generated (-g
23 option), or a prompt can be displayed to input the password (-p
24 option). The same password generation options as documented for
25 the generate command can be used when the -g option is set.
26
27
28 analyze [options] <database>
29 Analyzes passwords in a database for weaknesses.
30
31
32 clip [options] <database> <entry> [timeout]
33 Copies the password or the current TOTP (-t option) of a data‐
34 base entry to the clipboard. If multiple entries with the same
35 name exist in different groups, only the password for the first
36 one is going to be copied. For copying the password of an entry
37 in a specific group, the group path to the entry should be spec‐
38 ified as well, instead of just the name. Optionally, a timeout
39 in seconds can be specified to automatically clear the clip‐
40 board.
41
42
43 close In interactive mode, closes the currently opened database (see
44 open).
45
46
47 create [options] <database>
48 Creates a new database with a key file and/or password. The key
49 file will be created if the file that is referred to does not
50 exist. If both the key file and password are empty, no database
51 will be created.
52
53
54 diceware [options]
55 Generates a random diceware passphrase.
56
57
58 edit [options] <database> <entry>
59 Edits a database entry. A password can be generated (-g option),
60 or a prompt can be displayed to input the password (-p option).
61 The same password generation options as documented for the gen‐
62 erate command can be used when the -g option is set.
63
64
65 estimate [options] [password]
66 Estimates the entropy of a password. The password to estimate
67 can be provided as a positional argument, or using the standard
68 input.
69
70
71 exit Exits interactive mode. Synonymous with quit.
72
73
74 export [options] <database>
75 Exports the content of a database to standard output in the
76 specified format (defaults to XML).
77
78
79 generate [options]
80 Generates a random password.
81
82
83 help [command]
84 Displays a list of available commands, or detailed information
85 about the specified command.
86
87
88 import [options] <xml> <database>
89 Imports the contents of an XML database to the target database.
90
91
92 locate [options] <database> <term>
93 Locates all the entries that match a specific search term in a
94 database.
95
96
97 ls [options] <database> [group]
98 Lists the contents of a group in a database. If no group is
99 specified, it will default to the root group.
100
101
102 merge [options] <database1> <database2>
103 Merges two databases together. The first database file is going
104 to be replaced by the result of the merge, for that reason it is
105 advisable to keep a backup of the two database files before
106 attempting a merge. In the case that both databases make use of
107 the same credentials, the --same-credentials or -s option can be
108 used.
109
110
111 mkdir [options] <database> <group>
112 Adds a new group to a database.
113
114
115 mv [options] <database> <entry> <group>
116 Moves an entry to a new group.
117
118
119 open [options] <database>
120 Opens the given database in a shell-style interactive mode. This
121 is useful for performing multiple operations on a single data‐
122 base (e.g. ls followed by show).
123
124
125 quit Exits interactive mode. Synonymous with exit.
126
127
128 rm [options] <database> <entry>
129 Removes an entry from a database. If the database has a recycle
130 bin, the entry will be moved there. If the entry is already in
131 the recycle bin, it will be removed permanently.
132
133
134 rmdir [options] <database> <group>
135 Removes a group from a database. If the database has a recycle
136 bin, the group will be moved there. If the group is already in
137 the recycle bin, it will be removed permanently.
138
139
140 show [options] <database> <entry>
141 Shows the title, username, password, URL and notes of a database
142 entry. Can also show the current TOTP. Regarding the occurrence
143 of multiple entries with the same name in different groups,
144 everything stated in the clip command section also applies here.
145
146
148 General options
149 --debug-info
150 Displays debugging information.
151
152
153 -k, --key-file <path>
154 Specifies a path to a key file for unlocking the database. In a
155 merge operation this option, is used to specify the key file
156 path for the first database.
157
158
159 --no-password
160 Deactivates the password key for the database.
161
162
163 -y, --yubikey <slot>
164 Specifies a yubikey slot for unlocking the database. In a merge
165 operation this option is used to specify the yubikey slot for
166 the first database.
167
168
169 -q, --quiet <path>
170 Silences password prompt and other secondary outputs.
171
172
173 -h, --help
174 Displays help information.
175
176
177 -v, --version
178 Displays the program version.
179
180
181
182 Merge options
183 -d, --dry-run <path>
184 Prints the changes detected by the merge operation without mak‐
185 ing any changes to the database.
186
187
188 -f, --key-file-from <path>
189 Sets the path of the key file for the second database.
190
191
192 --no-password-from
193 Deactivates password key for the database to merge from.
194
195
196 --yubikey-from <slot>
197 Yubikey slot for the second database.
198
199
200 -s, --same-credentials
201 Uses the same credentials for unlocking both databases.
202
203
204
205 Add and edit options
206 The same password generation options as documented for the generate
207 command can be used with those 2 commands when the -g option is set.
208
209
210 -u, --username <username>
211 Specifies the username of the entry.
212
213
214 --url <url>
215 Specifies the URL of the entry.
216
217
218 -p, --password-prompt
219 Uses a password prompt for the entry's password.
220
221
222 -g, --generate
223 Generates a new password for the entry.
224
225
226
227 Edit options
228 -t, --title <title>
229 Specifies the title of the entry.
230
231
232
233 Estimate options
234 -a, --advanced
235 Performs advanced analysis on the password.
236
237
238
239 Analyze options
240 -H, --hibp <filename>
241 Checks if any passwords have been publicly leaked, by comparing
242 against the given list of password SHA-1 hashes, which must be
243 in "Have I Been Pwned" format. Such files are available from
244 https://haveibeenpwned.com/Passwords; note that they are large,
245 and so this operation typically takes some time (minutes up to
246 an hour or so).
247
248
249
250 Clip options
251 -t, --totp
252 Copies the current TOTP instead of current password to clip‐
253 board. Will report an error if no TOTP is configured for the
254 entry.
255
256
257
258 Show options
259 -a, --attributes <attribute>...
260 Shows the named attributes. This option can be specified more
261 than once, with each attribute shown one-per-line in the given
262 order. If no attributes are specified and -t is not specified, a
263 summary of the default attributes is given. Protected
264 attributes will be displayed in clear text if specified explic‐
265 itly by this option.
266
267
268 -s, --show-protected
269 Shows the protected attributes in clear text.
270
271
272 -t, --totp
273 Also shows the current TOTP, reporting an error if no TOTP is
274 configured for the entry.
275
276
277
278 Diceware options
279 -W, --words <count>
280 Sets the desired number of words for the generated passphrase.
281 [Default: 7]
282
283
284 -w, --word-list <path>
285 Sets the Path of the wordlist for the diceware generator. The
286 wordlist must have > 1000 words, otherwise the program will
287 fail. If the wordlist has < 4000 words a warning will be printed
288 to STDERR.
289
290
291
292 Export options
293 -f, --format
294 Format to use when exporting. Available choices are xml or csv.
295 Defaults to xml.
296
297
298
299 List options
300 -R, --recursive
301 Recursively lists the elements of the group.
302
303
304 -f, --flatten
305 Flattens the output to single lines. When this option is
306 enabled, subgroups and subentries will be displayed with a rela‐
307 tive group path instead of indentation.
308
309
310 Generate options
311 -L, --length <length>
312 Sets the desired length for the generated password. [Default:
313 16]
314
315
316 -l --lower
317 Uses lowercase characters for the generated password. [Default:
318 Enabled]
319
320
321 -U --upper
322 Uses uppercase characters for the generated password. [Default:
323 Enabled]
324
325
326 -n --numeric
327 Uses numbers characters for the generated password. [Default:
328 Enabled]
329
330
331 -s --special
332 Uses special characters for the generated password. [Default:
333 Disabled]
334
335
336 -e --extended
337 Uses extended ASCII characters for the generated password.
338 [Default: Disabled]
339
340
341 -x --exclude <chars>
342 Comma-separated list of characters to exclude from the generated
343 password. None is excluded by default.
344
345
346 --exclude-similar
347 Exclude similar looking characters. [Default: Disabled]
348
349
350 --every-group
351 Include characters from every selected group. [Default: Dis‐
352 abled]
353
354
355
357 Bugs and feature requests can be reported on GitHub at
358 https://github.com/keepassxreboot/keepassxc/issues.
359
360
362 This manual page was originally written by Manolis Agkopian
363 <m.agkopian@gmail.com>, and is maintained by the KeePassXC Team
364 <team@keepassxc.org>.
365
366
367
368 June 15, 2019 KEEPASSXC-CLI(1)