1KEEPASSXC-CLI(1) General Commands Manual KEEPASSXC-CLI(1)
2
6 keepassxc-cli - command line interface for the KeePassXC password
7 manager
8
10 keepassxc-cli command [options]
11
13 keepassxc-cli is the command line interface for the KeePassXC password
14 manager. It provides the ability to query and modify the entries of a
15 KeePass database, directly from the command line.
16
18 add [options] <database> <entry>
19 Adds a new entry to a database. A password can be generated (-g
20 option), or a prompt can be displayed to input the password (-p
21 option). The same password generation options as documented for the
22 generate command can be used when the -g option is set.
23 analyze [options] <database>
25 Analyzes passwords in a database for weaknesses using offline HIBP
26 SHA-1 hash lookup.
27 attachment-export [options] <database> <entry> <attachment_name>
29 <export_file>
30 Exports the content of an attachment to a specified file. Use
31 --stdout option to instead output the contents of the attachment to
32 stdout.
33 attachment-import [options] <database> <entry> <attachment_name>
35 <import_file>
36 Imports the attachment into an entry. An existing attachment with
37 the same name may be overwritten if the -f option is specified.
38 attachment-rm <database> <entry> <attachment_name>
40 Removes the named attachment from an entry.
41 clip [options] <database> <entry> [timeout]
43 Copies an attribute or the current TOTP (if the -t option is
44 specified) of a database entry to the clipboard. If no attribute
45 name is specified using the -a option, the password is copied. If
46 multiple entries with the same name exist in different groups, only
47 the attribute for the first one is copied. For copying the
48 attribute of an entry in a specific group, the group path to the
49 entry should be specified as well, instead of just the name.
50 Optionally, a timeout in seconds can be specified to automatically
51 clear the clipboard, the default timeout is 10 seconds, set to 0 to
52 disable.
53 close
55 In interactive mode, closes the currently opened database (see
56 open).
57 db-create [options] <database>
59 Creates a new database with a password and/or a key file. The key
60 file will be created if the file that is referred to does not
61 exist. If both the key file and password are empty, no database
62 will be created.
63 db-edit [options] <database>
65 Edits a database. When setting a key file, the key file will be
66 created if the file that is referred to does not exist.
67 db-info [options] <database>
69 Show a database’s information.
70 diceware [options]
72 Generates a random diceware passphrase.
73 edit [options] <database> <entry>
75 Edits a database entry. A password can be generated (-g option), or
76 a prompt can be displayed to input the password (-p option). The
77 same password generation options as documented for the generate
78 command can be used when the -g option is set.
79 estimate [options] [password]
81 Estimates the entropy of a password. The password to estimate can
82 be provided as a positional argument, or using the standard input.
83 exit
85 Exits interactive mode. Synonymous with quit.
86 export [options] <database>
88 Exports the content of a database to standard output in the
89 specified format (defaults to XML).
90 generate [options]
92 Generates a random password.
93 help [command]
95 Displays a list of available commands, or detailed information
96 about the specified command.
97 import [options] <xml> <database>
99 Imports the contents of an XML exported database to a new created
100 database with a password and/or key file. The key file will be
101 created if the file that is referred to does not exist. If both the
102 key file and password are empty, no database will be created. The
103 new database will be in kdbx 4 format.
104 ls [options] <database> [group]
106 Lists the contents of a group in a database. If no group is
107 specified, it will default to the root group.
108 merge [options] <database1> <database2>
110 Merges two databases together. The first database file is going to
111 be replaced by the result of the merge, for that reason it is
112 advisable to keep a backup of the two database files before
113 attempting a merge. In the case that both databases make use of the
114 same credentials, the --same-credentials or -s option can be used.
115 mkdir [options] <database> <group>
117 Adds a new group to a database.
118 mv [options] <database> <entry> <group>
120 Moves an entry to a new group.
121 open [options] <database>
123 Opens the given database in a shell-style interactive mode. This is
124 useful for performing multiple operations on a single database
125 (e.g. ls followed by show).
126 quit
128 Exits interactive mode. Synonymous with exit.
129 rm [options] <database> <entry>
131 Removes an entry from a database. If the database has a recycle
132 bin, the entry will be moved there. If the entry is already in the
133 recycle bin, it will be removed permanently.
134 rmdir [options] <database> <group>
136 Removes a group from a database. If the database has a recycle bin,
137 the group will be moved there. If the group is already in the
138 recycle bin, it will be removed permanently.
139 search [options] <database> <term>
141 Searches all entries that match a specific search term in a
142 database.
143 show [options] <database> <entry>
145 Shows the title, username, password, URL and notes of a database
146 entry. Can also show the current TOTP. Regarding the occurrence of
147 multiple entries with the same name in different groups, everything
148 stated in the clip command section also applies here.
149
151 General options
152 --debug-info
153 Displays debugging information.
154 -k, --key-file <path>
156 Specifies a path to a key file for unlocking the database. In a
157 merge operation this option, is used to specify the key file path
158 for the first database.
159 --no-password
161 Deactivates the password key for the database.
162 -y, --yubikey <slot[:serial]>
164 Specifies a yubikey slot for unlocking the database. In a merge
165 operation this option is used to specify the YubiKey slot for the
166 first database.
167 -q, --quiet <path>
169 Silences password prompt and other secondary outputs.
170 -h, --help
172 Displays help information.
173 -v, --version
175 Displays the program version.
176 Merge options
178 -d, --dry-run <path>
179 Prints the changes detected by the merge operation without making
180 any changes to the database.
181 --key-file-from <path>
183 Sets the path of the key file for the second database.
184 --no-password-from
186 Deactivates password key for the database to merge from.
187 --yubikey-from <slot[:serial]>
189 YubiKey slot for the second database.
190 -s, --same-credentials
192 Uses the same credentials for unlocking both databases.
193 Add and edit options
195 The same password generation options as documented for the generate
196 command can be used with those 2 commands when the -g option is set.
197 -u, --username <username>
199 Specifies the username of the entry.
200 --url <url>
202 Specifies the URL of the entry.
203 --notes <notes>
205 Specifies the notes of the entry.
206 -p, --password-prompt
208 Uses a password prompt for the entry’s password.
209 -g, --generate
211 Generates a new password for the entry.
212 Edit options
214 -t, --title <title>
215 Specifies the title of the entry.
216 Estimate options
218 -a, --advanced
219 Performs advanced analysis on the password.
220 Analyze options
222 -H, --hibp <filename>
223 Checks if any passwords have been publicly leaked, by comparing
224 against the given list of password SHA-1 hashes, which must be in
225 "Have I Been Pwned" format. Such files are available from
226 https://haveibeenpwned.com/Passwords; note that they are large, and
227 so this operation typically takes some time (minutes up to an hour
228 or so).
229 --okon <okon-cli path>
231 Use the specified okon-cli program to perform offline breach
232 checks. You can obtain okon-cli from
233 https://github.com/stryku/okon. When using this option, -H, --hibp
234 must point to a post-processed okon file (e.g. file.okon).
235 Clip options
237 -a, --attribute
238 Copies the specified attribute to the clipboard. If no attribute is
239 specified, the password attribute is the default. For example, "-a
240 username" would copy the username to the clipboard. [Default:
241 password]
242 -t, --totp
244 Copies the current TOTP instead of the specified attribute to the
245 clipboard. Will report an error if no TOTP is configured for the
246 entry.
247 -b, --best
249 Try to find and copy to clipboard a unique entry matching the input
250 If a unique matching entry is found it will be copied to the
251 clipboard. If multiple entries are found they will be listed to
252 refine the search. (no clip performed)
253 Db-create, Db-edit and Import options
255 --set-key-file <path>
256 Set the key file for the database.
257 -p, --set-password
259 Set a password for the database.
260 Db-create, Import options
262 -t, --decryption-time <time>
263 Target decryption time in MS for the database.
264 Db-edit options
266 --unset-password <path>
267 Removes the password for the database.
268 --unset-key-file <path>
270 Removes the key file for the database.
271 Show options
273 -a, --attributes <attribute>...
274 Shows the named attributes. This option can be specified more than
275 once, with each attribute shown one-per-line in the given order. If
276 no attributes are specified and -t is not specified, a summary of
277 the default attributes is given. Protected attributes will be
278 displayed in clear text if specified explicitly by this option.
279 --all
281 Show all the attributes of the entry.
282 -s, --show-protected
284 Shows the protected attributes in clear text.
285 --show-attachments
287 Shows the attachment names along with the size of the attachments.
288 -t, --totp
290 Also shows the current TOTP, reporting an error if no TOTP is
291 configured for the entry.
292 Diceware options
294 -W, --words <count>
295 Sets the desired number of words for the generated passphrase.
296 [Default: 7]
297 -w, --word-list <path>
299 Sets the Path of the wordlist for the diceware generator. The
300 wordlist must have > 1000 words, otherwise the program will fail.
301 If the wordlist has < 4000 words a warning will be printed to
302 STDERR. Any diceware-compatible wordlist can be used. Note however
303 that KeePassXC will NOT verify the PGP signature of signed
304 wordlists.
305 Export options
307 -f, --format
308 Format to use when exporting. Available choices are xml or csv.
309 Defaults to xml.
310 List options
312 -R, --recursive
313 Recursively lists the elements of the group.
314 -f, --flatten
316 Flattens the output to single lines. When this option is enabled,
317 subgroups and subentries will be displayed with a relative group
318 path instead of indentation.
319 Generate options
321 -L, --length <length>
322 Sets the desired length for the generated password. [Default: 16]
323 -l, --lower
325 Uses lowercase characters for the generated password. [Default:
326 Enabled]
327 -U, --upper
329 Uses uppercase characters for the generated password. [Default:
330 Enabled]
331 -n, --numeric
333 Uses numbers characters for the generated password. [Default:
334 Enabled]
335 -s, --special
337 Uses special characters for the generated password. [Default:
338 Disabled]
339 -e, --extended
341 Uses extended ASCII characters for the generated password.
342 [Default: Disabled]
343 -x, --exclude <chars>
345 Comma-separated list of characters to exclude from the generated
346 password. None is excluded by default.
347 --exclude-similar
349 Exclude similar looking characters. [Default: Disabled]
350 --every-group
352 Include characters from every selected group. [Default: Disabled]
353
355 Project homepage
356 https://keepassxc.org
357 QuickStart Guide
359 https://keepassxc.org/docs/KeePassXC_GettingStarted.html
360 User Guide
362 https://keepassxc.org/docs/KeePassXC_UserGuide.html
363 Git repository
365 https://github.com/keepassxreboot/keepassxc.git
366
368 This manual page was originally written by Manolis Agkopian
369 m.agkopian@gmail.com.
370
372 Bugs and feature requests can be reported on GitHub at
373 https://github.com/keepassxreboot/keepassxc/issues.
374
376 Copyright (C) 2016-2020 KeePassXC Team team@keepassxc.org
377 This program is free software: you can redistribute it and/or modify it
379 under the terms of the GNU General Public License, either version 2 or
380 version 3. There is NO WARRANTY, to the extent permitted by law.
381
383 keepassxc(1)
384
386 KeePassXC Team
387KeePassXC 2.7.4 2022-08-20 KEEPASSXC-CLI(1)