1KEEPASSXC-CLI(1) General Commands Manual KEEPASSXC-CLI(1)
2
6 keepassxc-cli - command line interface for the KeePassXC password man‐
7 ager.
8
11 keepassxc-cli command [ -I options ]
12
15 keepassxc-cli is the command line interface for the KeePassXC password
16 manager. It provides the ability to query and modify the entries of a
17 KeePass database, directly from the command line.
18
21 add [options] <database> <entry>
22 Adds a new entry to a database. A password can be generated (-g
23 option), or a prompt can be displayed to input the password (-p
24 option). The same password generation options as documented for
25 the generate command can be used when the -g option is set.
26 analyze [options] <database>
29 Analyzes passwords in a database for weaknesses.
30 clip [options] <database> <entry> [timeout]
33 Copies the password or the current TOTP (-t option) of a data‐
34 base entry to the clipboard. If multiple entries with the same
35 name exist in different groups, only the password for the first
36 one is going to be copied. For copying the password of an entry
37 in a specific group, the group path to the entry should be spec‐
38 ified as well, instead of just the name. Optionally, a timeout
39 in seconds can be specified to automatically clear the clip‐
40 board.
41 close In interactive mode, closes the currently opened database (see
44 open).
45 create [options] <database>
48 Creates a new database with a key file and/or password. The key
49 file will be created if the file that is referred to does not
50 exist. If both the key file and password are empty, no database
51 will be created.
52 diceware [options]
55 Generates a random diceware passphrase.
56 edit [options] <database> <entry>
59 Edits a database entry. A password can be generated (-g option),
60 or a prompt can be displayed to input the password (-p option).
61 The same password generation options as documented for the gen‐
62 erate command can be used when the -g option is set.
63 estimate [options] [password]
66 Estimates the entropy of a password. The password to estimate
67 can be provided as a positional argument, or using the standard
68 input.
69 exit Exits interactive mode. Synonymous with quit.
72 export [options] <database>
75 Exports the content of a database to standard output in the
76 specified format (defaults to XML).
77 generate [options]
80 Generates a random password.
81 help [command]
84 Displays a list of available commands, or detailed information
85 about the specified command.
86 import [options] <xml> <database>
89 Imports the contents of an XML database to the target database.
90 locate [options] <database> <term>
93 Locates all the entries that match a specific search term in a
94 database.
95 ls [options] <database> [group]
98 Lists the contents of a group in a database. If no group is
99 specified, it will default to the root group.
100 merge [options] <database1> <database2>
103 Merges two databases together. The first database file is going
104 to be replaced by the result of the merge, for that reason it is
105 advisable to keep a backup of the two database files before
106 attempting a merge. In the case that both databases make use of
107 the same credentials, the --same-credentials or -s option can be
108 used.
109 mkdir [options] <database> <group>
112 Adds a new group to a database.
113 mv [options] <database> <entry> <group>
116 Moves an entry to a new group.
117 open [options] <database>
120 Opens the given database in a shell-style interactive mode. This
121 is useful for performing multiple operations on a single data‐
122 base (e.g. ls followed by show).
123 quit Exits interactive mode. Synonymous with exit.
126 rm [options] <database> <entry>
129 Removes an entry from a database. If the database has a recycle
130 bin, the entry will be moved there. If the entry is already in
131 the recycle bin, it will be removed permanently.
132 rmdir [options] <database> <group>
135 Removes a group from a database. If the database has a recycle
136 bin, the group will be moved there. If the group is already in
137 the recycle bin, it will be removed permanently.
138 show [options] <database> <entry>
141 Shows the title, username, password, URL and notes of a database
142 entry. Can also show the current TOTP. Regarding the occurrence
143 of multiple entries with the same name in different groups,
144 everything stated in the clip command section also applies here.
145
148 General options
149 --debug-info
150 Displays debugging information.
151 -k, --key-file <path>
154 Specifies a path to a key file for unlocking the database. In a
155 merge operation this option, is used to specify the key file
156 path for the first database.
157 --no-password
160 Deactivates the password key for the database.
161 -y, --yubikey <slot>
164 Specifies a yubikey slot for unlocking the database. In a merge
165 operation this option is used to specify the yubikey slot for
166 the first database.
167 -q, --quiet <path>
170 Silences password prompt and other secondary outputs.
171 -h, --help
174 Displays help information.
175 -v, --version
178 Displays the program version.
179 Merge options
183 -d, --dry-run <path>
184 Prints the changes detected by the merge operation without mak‐
185 ing any changes to the database.
186 --key-file-from <path>
189 Sets the path of the key file for the second database.
190 --no-password-from
193 Deactivates password key for the database to merge from.
194 --yubikey-from <slot>
197 Yubikey slot for the second database.
198 -s, --same-credentials
201 Uses the same credentials for unlocking both databases.
202 Add and edit options
206 The same password generation options as documented for the generate
207 command can be used with those 2 commands when the -g option is set.
208 -u, --username <username>
211 Specifies the username of the entry.
212 --url <url>
215 Specifies the URL of the entry.
216 -p, --password-prompt
219 Uses a password prompt for the entry's password.
220 -g, --generate
223 Generates a new password for the entry.
224 Edit options
228 -t, --title <title>
229 Specifies the title of the entry.
230 Estimate options
234 -a, --advanced
235 Performs advanced analysis on the password.
236 Analyze options
240 -H, --hibp <filename>
241 Checks if any passwords have been publicly leaked, by comparing
242 against the given list of password SHA-1 hashes, which must be
243 in "Have I Been Pwned" format. Such files are available from
244 https://haveibeenpwned.com/Passwords; note that they are large,
245 and so this operation typically takes some time (minutes up to
246 an hour or so).
247 Clip options
251 -t, --totp
252 Copies the current TOTP instead of current password to clip‐
253 board. Will report an error if no TOTP is configured for the
254 entry.
255 Show options
259 -a, --attributes <attribute>...
260 Shows the named attributes. This option can be specified more
261 than once, with each attribute shown one-per-line in the given
262 order. If no attributes are specified and -t is not specified, a
263 summary of the default attributes is given. Protected
264 attributes will be displayed in clear text if specified explic‐
265 itly by this option.
266 -s, --show-protected
269 Shows the protected attributes in clear text.
270 -t, --totp
273 Also shows the current TOTP, reporting an error if no TOTP is
274 configured for the entry.
275 Diceware options
279 -W, --words <count>
280 Sets the desired number of words for the generated passphrase.
281 [Default: 7]
282 -w, --word-list <path>
285 Sets the Path of the wordlist for the diceware generator. The
286 wordlist must have > 1000 words, otherwise the program will
287 fail. If the wordlist has < 4000 words a warning will be printed
288 to STDERR.
289 Export options
293 -f, --format
294 Format to use when exporting. Available choices are xml or csv.
295 Defaults to xml.
296 List options
300 -R, --recursive
301 Recursively lists the elements of the group.
302 -f, --flatten
305 Flattens the output to single lines. When this option is
306 enabled, subgroups and subentries will be displayed with a rela‐
307 tive group path instead of indentation.
308 Generate options
311 -L, --length <length>
312 Sets the desired length for the generated password. [Default:
313 16]
314 -l --lower
317 Uses lowercase characters for the generated password. [Default:
318 Enabled]
319 -U --upper
322 Uses uppercase characters for the generated password. [Default:
323 Enabled]
324 -n --numeric
327 Uses numbers characters for the generated password. [Default:
328 Enabled]
329 -s --special
332 Uses special characters for the generated password. [Default:
333 Disabled]
334 -e --extended
337 Uses extended ASCII characters for the generated password.
338 [Default: Disabled]
339 -x --exclude <chars>
342 Comma-separated list of characters to exclude from the generated
343 password. None is excluded by default.
344 --exclude-similar
347 Exclude similar looking characters. [Default: Disabled]
348 --every-group
351 Include characters from every selected group. [Default: Dis‐
352 abled]
353
357 Bugs and feature requests can be reported on GitHub at
358 https://github.com/keepassxreboot/keepassxc/issues.
359
362 This manual page was originally written by Manolis Agkopian
363 <m.agkopian@gmail.com>, and is maintained by the KeePassXC Team
364 <team@keepassxc.org>.
365 June 15, 2019 KEEPASSXC-CLI(1)