1KEEPASSXC-CLI(1) General Commands Manual KEEPASSXC-CLI(1)
2
6 keepassxc-cli - command line interface for the KeePassXC password
7 manager
8
10 keepassxc-cli command [options]
11
13 keepassxc-cli is the command line interface for the KeePassXC password
14 manager. It provides the ability to query and modify the entries of a
15 KeePass database, directly from the command line.
16
18 add [options] <database> <entry>
19 Adds a new entry to a database. A password can be generated (-g
20 option), or a prompt can be displayed to input the password (-p
21 option). The same password generation options as documented for the
22 generate command can be used when the -g option is set.
23 analyze [options] <database>
25 Analyzes passwords in a database for weaknesses using offline HIBP
26 SHA-1 hash lookup.
27 attachment-export [options] <database> <entry> <attachment_name>
29 <export_file>
30 Exports the content of an attachment to a specified file. Use
31 --stdout option to instead output the contents of the attachment to
32 stdout.
33 attachment-import [options] <database> <entry> <attachment_name>
35 <import_file>
36 Imports the attachment into an entry. An existing attachment with
37 the same name may be overwritten if the -f option is specified.
38 attachment-rm <database> <entry> <attachment_name>
40 Removes the named attachment from an entry.
41 clip [options] <database> <entry> [timeout]
43 Copies an attribute or the current TOTP (if the -t option is
44 specified) of a database entry to the clipboard. If no attribute
45 name is specified using the -a option, the password is copied. If
46 multiple entries with the same name exist in different groups, only
47 the attribute for the first one is copied. For copying the
48 attribute of an entry in a specific group, the group path to the
49 entry should be specified as well, instead of just the name.
50 Optionally, a timeout in seconds can be specified to automatically
51 clear the clipboard, the default timeout is 10 seconds, set to 0 to
52 disable.
53 close
55 In interactive mode, closes the currently opened database (see
56 open).
57 db-create [options] <database>
59 Creates a new database with a password and/or a key file. The key
60 file will be created if the file that is referred to does not
61 exist. If both the key file and password are empty, no database
62 will be created.
63 db-info [options] <database>
65 Show a database’s information.
66 diceware [options]
68 Generates a random diceware passphrase.
69 edit [options] <database> <entry>
71 Edits a database entry. A password can be generated (-g option), or
72 a prompt can be displayed to input the password (-p option). The
73 same password generation options as documented for the generate
74 command can be used when the -g option is set.
75 estimate [options] [password]
77 Estimates the entropy of a password. The password to estimate can
78 be provided as a positional argument, or using the standard input.
79 exit
81 Exits interactive mode. Synonymous with quit.
82 export [options] <database>
84 Exports the content of a database to standard output in the
85 specified format (defaults to XML).
86 generate [options]
88 Generates a random password.
89 help [command]
91 Displays a list of available commands, or detailed information
92 about the specified command.
93 import [options] <xml> <database>
95 Imports the contents of an XML exported database to a new created
96 database with a password and/or key file. The key file will be
97 created if the file that is referred to does not exist. If both the
98 key file and password are empty, no database will be created. The
99 new database will be in kdbx 4 format.
100 ls [options] <database> [group]
102 Lists the contents of a group in a database. If no group is
103 specified, it will default to the root group.
104 merge [options] <database1> <database2>
106 Merges two databases together. The first database file is going to
107 be replaced by the result of the merge, for that reason it is
108 advisable to keep a backup of the two database files before
109 attempting a merge. In the case that both databases make use of the
110 same credentials, the --same-credentials or -s option can be used.
111 mkdir [options] <database> <group>
113 Adds a new group to a database.
114 mv [options] <database> <entry> <group>
116 Moves an entry to a new group.
117 open [options] <database>
119 Opens the given database in a shell-style interactive mode. This is
120 useful for performing multiple operations on a single database
121 (e.g. ls followed by show).
122 quit
124 Exits interactive mode. Synonymous with exit.
125 rm [options] <database> <entry>
127 Removes an entry from a database. If the database has a recycle
128 bin, the entry will be moved there. If the entry is already in the
129 recycle bin, it will be removed permanently.
130 rmdir [options] <database> <group>
132 Removes a group from a database. If the database has a recycle bin,
133 the group will be moved there. If the group is already in the
134 recycle bin, it will be removed permanently.
135 search [options] <database> <term>
137 Searches all entries that match a specific search term in a
138 database.
139 show [options] <database> <entry>
141 Shows the title, username, password, URL and notes of a database
142 entry. Can also show the current TOTP. Regarding the occurrence of
143 multiple entries with the same name in different groups, everything
144 stated in the clip command section also applies here.
145
147 General options
148 --debug-info
149 Displays debugging information.
150 -k, --key-file <path>
152 Specifies a path to a key file for unlocking the database. In a
153 merge operation this option, is used to specify the key file path
154 for the first database.
155 --no-password
157 Deactivates the password key for the database.
158 -y, --yubikey <slot>
160 Specifies a yubikey slot for unlocking the database. In a merge
161 operation this option is used to specify the YubiKey slot for the
162 first database.
163 -q, --quiet <path>
165 Silences password prompt and other secondary outputs.
166 -h, --help
168 Displays help information.
169 -v, --version
171 Displays the program version.
172 Merge options
174 -d, --dry-run <path>
175 Prints the changes detected by the merge operation without making
176 any changes to the database.
177 --key-file-from <path>
179 Sets the path of the key file for the second database.
180 --no-password-from
182 Deactivates password key for the database to merge from.
183 --yubikey-from <slot>
185 YubiKey slot for the second database.
186 -s, --same-credentials
188 Uses the same credentials for unlocking both databases.
189 Add and edit options
191 The same password generation options as documented for the generate
192 command can be used with those 2 commands when the -g option is set.
193 -u, --username <username>
195 Specifies the username of the entry.
196 --url <url>
198 Specifies the URL of the entry.
199 --notes <notes>
201 Specifies the notes of the entry.
202 -p, --password-prompt
204 Uses a password prompt for the entry’s password.
205 -g, --generate
207 Generates a new password for the entry.
208 Edit options
210 -t, --title <title>
211 Specifies the title of the entry.
212 Estimate options
214 -a, --advanced
215 Performs advanced analysis on the password.
216 Analyze options
218 -H, --hibp <filename>
219 Checks if any passwords have been publicly leaked, by comparing
220 against the given list of password SHA-1 hashes, which must be in
221 "Have I Been Pwned" format. Such files are available from
222 https://haveibeenpwned.com/Passwords; note that they are large, and
223 so this operation typically takes some time (minutes up to an hour
224 or so).
225 --okon <okon-cli path>
227 Use the specified okon-cli program to perform offline breach
228 checks. You can obtain okon-cli from
229 https://github.com/stryku/okon. When using this option, -H, --hibp
230 must point to a post-processed okon file (e.g. file.okon).
231 Clip options
233 -a, --attribute
234 Copies the specified attribute to the clipboard. If no attribute is
235 specified, the password attribute is the default. For example, "-a
236 username" would copy the username to the clipboard. [Default:
237 password]
238 -t, --totp
240 Copies the current TOTP instead of the specified attribute to the
241 clipboard. Will report an error if no TOTP is configured for the
242 entry.
243 -b, --best
245 Try to find and copy to clipboard a unique entry matching the input
246 If a unique matching entry is found it will be copied to the
247 clipboard. If multiple entries are found they will be listed to
248 refine the search. (no clip performed)
249 Create and Import options
251 -k, --set-key-file <path>
252 Set the key file for the database.
253 -p, --set-password
255 Set a password for the database.
256 -t, --decryption-time <time>
258 Target decryption time in MS for the database.
259 Show options
261 -a, --attributes <attribute>...
262 Shows the named attributes. This option can be specified more than
263 once, with each attribute shown one-per-line in the given order. If
264 no attributes are specified and -t is not specified, a summary of
265 the default attributes is given. Protected attributes will be
266 displayed in clear text if specified explicitly by this option.
267 -s, --show-protected
269 Shows the protected attributes in clear text.
270 --show-attachments
272 Shows the attachment names along with the size of the attachments.
273 -t, --totp
275 Also shows the current TOTP, reporting an error if no TOTP is
276 configured for the entry.
277 Diceware options
279 -W, --words <count>
280 Sets the desired number of words for the generated passphrase.
281 [Default: 7]
282 -w, --word-list <path>
284 Sets the Path of the wordlist for the diceware generator. The
285 wordlist must have > 1000 words, otherwise the program will fail.
286 If the wordlist has < 4000 words a warning will be printed to
287 STDERR. Any diceware-compatible wordlist can used. Note however
288 that KeePassXC will NOT verify the PGP signature of signed
289 wordlists.
290 Export options
292 -f, --format
293 Format to use when exporting. Available choices are xml or csv.
294 Defaults to xml.
295 List options
297 -R, --recursive
298 Recursively lists the elements of the group.
299 -f, --flatten
301 Flattens the output to single lines. When this option is enabled,
302 subgroups and subentries will be displayed with a relative group
303 path instead of indentation.
304 Generate options
306 -L, --length <length>
307 Sets the desired length for the generated password. [Default: 16]
308 -l, --lower
310 Uses lowercase characters for the generated password. [Default:
311 Enabled]
312 -U, --upper
314 Uses uppercase characters for the generated password. [Default:
315 Enabled]
316 -n, --numeric
318 Uses numbers characters for the generated password. [Default:
319 Enabled]
320 -s, --special
322 Uses special characters for the generated password. [Default:
323 Disabled]
324 -e, --extended
326 Uses extended ASCII characters for the generated password.
327 [Default: Disabled]
328 -x, --exclude <chars>
330 Comma-separated list of characters to exclude from the generated
331 password. None is excluded by default.
332 --exclude-similar
334 Exclude similar looking characters. [Default: Disabled]
335 --every-group
337 Include characters from every selected group. [Default: Disabled]
338
340 Project homepage
341 https://keepassxc.org
342 QuickStart Guide
344 https://keepassxc.org/docs/KeePassXC_GettingStarted.html
345 User Guide
347 https://keepassxc.org/docs/KeePassXC_UserGuide.html
348 Git repository
350 https://github.com/keepassxreboot/keepassxc.git
351
353 This manual page was originally written by Manolis Agkopian
354 m.agkopian@gmail.com.
355
357 Bugs and feature requests can be reported on GitHub at
358 https://github.com/keepassxreboot/keepassxc/issues.
359
361 Copyright (C) 2016-2020 KeePassXC Team team@keepassxc.org
362 This program is free software: you can redistribute it and/or modify it
364 under the terms of the GNU General Public License, either version 2 or
365 version 3. There is NO WARRANTY, to the extent permitted by law.
366
368 keepassxc(1)
369
371 KeePassXC Team
372KeePassXC 2.7.1 2020-08-31 KEEPASSXC-CLI(1)