1LPASS(1) lpass LPASS(1)
2
3
4
6 lpass - command line interface for LastPass
7
9 lpass [ --version, -v | --help, -h ]
10 lpass <subcommand> [<args>]
11
13 lpass is a simple command line interface to LastPass. It is comprised
14 of several subcommands:
15
16 lpass login [--trust] [--plaintext-key [--force, -f]] [--color=auto|never|always] USERNAME
17 lpass logout [--force, -f] [--color=auto|never|always]
18 lpass passwd
19 lpass show [--sync=auto|now|no] [--clip, -c] [--quiet, -q] [--expand-multi, -x] [--json, -j] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name|--attach=ATTACHID] [--basic-regexp, -G|--fixed-strings, -F] [--color=auto|never|always] {NAME|UNIQUEID}*
20 lpass ls [--sync=auto|now|no] [--long, -l] [-m] [-u] [--color=auto|never|always] [GROUP]
21 lpass mv [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID} GROUP
22 lpass add [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD|--note-type=NOTETYPE} [--color=auto|never|always] {NAME|UNIQUEID}
23 lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD} [--color=auto|never|always] {NAME|UNIQUEID}
24 lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] [--color=auto|never|always] {NAME|UNIQUEID} LENGTH
25 lpass duplicate [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
26 lpass rm [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
27 lpass status [--quiet, -q] [--color=auto|never|always]
28 lpass sync [--background, -b] [--color=auto|never|always]
29 lpass import [--sync=auto|now|no] [--keep-dupes] [FILENAME]
30 lpass export [--sync=auto|now|no] [--color=auto|never|always] [--fields=FIELDLIST]
31 lpass share userls SHARE
32 lpass share useradd [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
33 lpass share usermod [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
34 lpass share userdel SHARE USERNAME
35 lpass share create SHARE
36 lpass share rm SHARE
37 lpass share limit [--deny|--allow] [--add|--rm|--clear] SHARE USERNAME [sites]
38
39 Synchronization
40 The --sync options control when the current operation involves a
41 synchronization with the server. If now is set, and the command makes a
42 change, the change is synchronized before the command exits. If now is
43 set, and the command displays a value, the local cache is synchronized
44 before the value is shown. If now is set, and the command is otherwise
45 successful, but synchronization fails, the command will return an
46 error. If auto is set, and the command makes a change, the change is
47 synchronized to the server in the background. If auto is set, and the
48 command displays a value, the local cache is synchronized before the
49 value is shown only if the local cache is more than 5 seconds (or
50 LPASS_AUTO_SYNC_TIME seconds, if set) old. If no is set, the command
51 will not interact with the server, unless there is a current upload
52 queue being processed. Any local changes that are not synchronized with
53 the server will exist in a queue of timestamped requests which will be
54 synchronized on the next occurring synchronization.
55
56 The sync command forces a synchronization of the local cache with the
57 LastPass servers, and does not exit until the local cache is
58 synchronized or until an error occurs. Alternatively, if --background
59 is specified, the synchronization occurs in a daemonized process.
60
61 Agent
62 An agent process will be spawned in the background on a first
63 successful command, and all subsequent commands will use the agent for
64 decryption, instead of asking a user for a password. The agent will
65 quit after one hour, unless the LPASS_AGENT_TIMEOUT environment
66 variable is set to an alternative number of seconds in which to quit,
67 or 0 to never quit. If the environment variable LPASS_AGENT_DISABLE is
68 set to 1, the agent will not be used.
69
70 Password Entry
71 The pinentry program, part of gpg2(1), may be used for inputting
72 passwords if it is installed. A custom path to the pinentry program can
73 be provided by the LPASS_PINENTRY environment variable.
74
75 If pinentry program is unavailable, or if the LPASS_DISABLE_PINENTRY
76 environment variable is set to 1, passwords will be read from standard
77 input and a prompt will be displayed on standard error.
78
79 The program used for inputting passwords may also be configured by
80 setting the LPASS_ASKPASS environment variable. LPASS_ASKPASS is
81 expected to be a binary that produces a prompt using its first
82 command-line argument, and outputs the entered password to standard
83 out. ssh-askpass implements this protocol, as does the following shell
84 script:
85
86 #!/bin/bash
87 echo -n "$*: " >/dev/stderr
88 stty -echo
89 read answer
90 stty echo
91 echo $answer
92
93 Entry Specification
94 Commands that take a UNIQUENAME will fail if the provided name is used
95 multiple times, and return an error. Commands may alternatively take a
96 UNIQUEID, which will be the integer ID provided by LastPass for
97 identifying entries uniquely. Commands that take either a NAME or a
98 UNIQUEID will create a new entry if a NAME is specified and otherwise
99 overwrite an existing entry if UNIQUEID is specified.
100
101 Logging In
102 The login subcommand will initialize a local cache and configuration
103 folder, then attempt to authenticate itself with the LastPass servers,
104 using the provided command line credentials or by interactively
105 prompting (in the case of multifactor or an unprovided password). The
106 --trust option will cause subsequent logins to not require multifactor
107 authentication. If the --plaintext-key option is specified, the
108 decryption key will be saved to the hard disk in plaintext. Please note
109 that use of this option is discouraged except in limited situations, as
110 it greatly decreases the security of data.
111
112 The logout subcommand will remove the local cache and stored encryption
113 keys. It will prompt the user to confirm, unless --force is specified.
114
115 The passwd subcommand may be used to change your LastPass password: it
116 will prompt for the old and new password and then re-encrypt all
117 records with the newly derived key.
118
119 Viewing
120 The show subcommand will display a password or selected field.
121
122 By default, the site you specify with the show subcommand must exactly
123 match the name of the site. If the --fixed-strings or -F option is set,
124 then the show subcommand will find a site containing that exact
125 substring; if the --basic-regexp or -G option is set, then the show
126 subcommand will find a site matching a case-insensitive regular
127 expression.
128
129 By default if your show subcommand matches more than one site, then the
130 show subcommand will generate a warning and display the names of
131 matching sites but no other information. The --expand-multi or -x
132 option will instead show the requested information from all of the
133 matching sites.
134
135 The ls subcommand will list names in groups in a tree structure. If the
136 --long or -l option is set, then also list the last modification time.
137 The -u option may be passed to show the last use (last touch) time
138 instead, if available. Both times are in GMT.
139
140 Passing --json to show will generate json output instead of
141 human-readable text.
142
143 In addition to using the built-in formats, both show and ls subcommands
144 support printf-style format strings by using the --format option with
145 the following placeholders:
146
147 • %ai: account id
148
149 • %an: account name
150
151 • %aN: account name including path
152
153 • %au: account user
154
155 • %ap: account password
156
157 • %am: account modification time
158
159 • %aU: account last touch time
160
161 • %as: account share name
162
163 • %ag: account group name
164
165 • %al: account URL
166
167 • %fn: field name (for show)
168
169 • %fv: field value (for show)
170
171 A slash can be added between the % and the placeholder to indicate that
172 a slash should be appended, only if the printed value is expanded to a
173 non-empty string. For example, this command will properly show the full
174 path to an account: lpass ls --format="%/as%/ag%an".
175
176 Modifying
177 The edit subcommand will edit the selected field. If --non-interactive
178 is not set, the selected field will be edited using EDITOR; otherwise
179 the command will accept data until EOF or, unless the notes field is
180 being edited, the first new line. Please note that when editing
181 interactively, the contents of the field may be saved on disk in tmp
182 files or in editor swap files, depending on your system configuration.
183
184 The generate subcommand will create a randomly generated password for
185 the chosen key name, and optionally add a url and username while
186 inserting the generated password.
187
188 The rm command will remove the specified entry, and the duplicate
189 command will create a duplicate entry of the one specified, but with a
190 different ID.
191
192 Backup
193 The export subcommand will dump all account information including
194 passwords to stdout (unencrypted) in CSV format. The optional
195 --fields=FIELDLIST argument may contain a comma-separated subset of the
196 following fields:
197
198 id, url, username, password, extra, name, fav, id, grouping, group,
199 fullname, last_touch, last_modified_gmt, attachpresent
200
201 The import subcommand does the reverse: accounts from an unencrypted
202 CSV file are uploaded to the server.
203
204 It is recommended that such backups be encrypted at rest, for example
205 by piping to and from gpg.
206
207 Shared Folder Commands
208 The share command and its accompanying subcommands can be used to
209 manipulate shared folders, if available to the (enterprise or premium)
210 user. The userls, useradd, usermod, and userdel subcommands may be used
211 to query and modify membership of the shared folder, while the create
212 and rm share subcommands may be used to add new, or delete existing
213 shared folders. The normal generate and edit commands may be used to
214 edit accounts within the shared folder.
215
216 The share limit command may be used to manipulate account access lists
217 on the share for a specific user. Running with no arguments will
218 display the current access levels for a user. The --add, --rm, and
219 --clear options may be used to add to, remove from, or reset the list.
220 Passing --allow or --deny will make the list a whitelist or blacklist,
221 respectively.
222
223 Clipboard
224 Commands that take a -c or --clip option will copy the output to the
225 clipboard, using xclip(1) or xsel(1) on X11-based systems, pbcopy(1) on
226 OSX, or putclip on Cygwin. The command to be used can be overridden by
227 specifying the LPASS_CLIPBOARD_COMMAND environment variable.
228
229 Color Output
230 The --color option controls colored output to the terminal. By default,
231 commands will use --color=auto, in which color output is used unless
232 the output is not a tty (for example, when passed to a pipe or file).
233 If always is used, colors are produced regardless of the output
234 detection. If never is used, no color escape sequences are emitted.
235
236 Configuration
237 lpass stores configuration in the following locations, in descending
238 order of precedence:
239
240 • The directory $LPASS_HOME, if set
241
242 • $XDG_CONFIG_HOME/lpass, $XDG_DATA_HOME/lpass, and
243 $XDG_RUNTIME_DIR/lpass (or equivalent defaults), if at least
244 $XDG_RUNTIME_DIR is set
245
246 • $HOME/.lpass
247
248 All configuration may be specified via environment variables.
249 Alternatively, a set of environment variable overrides may be specified
250 in $LPASS_HOME/env in the form of:
251
252 VARIABLE1=VALUE1
253 VARIABLE2=VALUE2
254 ...
255
256 Aliases
257 Default options can be specified for any command by creating command
258 aliases. Command aliases are stored in the configuration directory (see
259 previous section) with files named alias.command. For example, to force
260 the ls subcommand to never use color, make an alias.ls file with the
261 appropriate option:
262
263 echo 'ls --color=never' > ~/.config/lpass/alias.ls
264
265 Similarly, new subcommands can be created based on built-in subcommands
266 with options. Thus,
267
268 echo 'show --password -c' > ~/.config/lpass/alias.passclip
269
270 would create a passclip subcommand that copies your password onto the
271 clipboard.
272
274 The following environment variables may be used for configuration as
275 described in the section above:
276
277 • LPASS_HOME
278
279 • LPASS_AUTO_SYNC_TIME
280
281 • LPASS_AGENT_TIMEOUT
282
283 • LPASS_AGENT_DISABLE
284
285 • LPASS_PINENTRY
286
287 • LPASS_DISABLE_PINENTRY
288
289 • LPASS_ASKPASS
290
291 • LPASS_CLIPBOARD_COMMAND
292
294 In the following examples, "$" indicates a shell prompt while "#"
295 indicates a comment.
296
297 # login, generate and retrieve a new password
298 $ lpass login user@example.com
299 $ lpass generate work/email 20
300 G</Czo4*c;A+g;KIHkO-
301 $ lpass ls work
302 work
303 email [id: 140613939481239829]
304 $ lpass show -p email
305 G</Czo4*c;A+g;KIHkO-
306
307 # Copy password to clipboard
308 $ lpass show -cp email
309
310 # Add a new secure note
311 $ lpass add --note-type=ssn info/my-ssn
312 # (editor shows a template file; fill in and save)
313 Name: info/my-ssn
314 NoteType: Social Security
315 Name: My Name Goes Here
316 Number: 123-45-6789
317 Notes: # Add notes below this line
318 Any notes I want to save go here.
319 ~
320 ~
321
322 $ lpass show my-ssn
323 info/my-ssn [id: 0]
324 Number: 123-45-6789
325 Name: My Name Goes Here
326 NoteType: Social Security
327 Notes:
328 Any notes I want to save go here.
329
330 # Display a secure note attachment
331 $ lpass show my-secure-note
332 info/my-secure-note [id: 1426405543365295118]
333 URL: http://sn
334 att-1426405543365295118-94690: travel-flight.pdf
335 $ lpass show my-secure-note --attach att-1426405543365295118-94690
336 "travel-flight.pdf" is a binary file, print it anyway (or save)? [y/n/S] s
337 Wrote 122864 bytes to "travel-flight.pdf"
338
339 # Display secure note attachment to standard output
340 $ lpass show my-secure-note --attach att-1426405543365295118-94690 --quiet
341 [... binary data on stdout ...]
342
343 # Add an account non-interactively by creating the proper template
344 printf "Username: wizard97\nPassword: vJwhFfBBtn8hj4" | \
345 lpass add Facebook --non-interactive
346
347
348
349lpass 07/22/2021 LPASS(1)