1File::KDBX(3) User Contributed Perl Documentation File::KDBX(3)
2
6 File::KDBX - Encrypted database to store secret text and files
7
9 version 0.906
10
12 use File::KDBX;
13 # Create a new database from scratch
15 my $kdbx = File::KDBX->new;
16 # Add some objects to the database
18 my $group = $kdbx->add_group(
19 name => 'Passwords',
20 );
21 my $entry = $group->add_entry(
22 title => 'My Bank',
23 username => 'mreynolds',
24 password => 's3cr3t',
25 );
26 # Save the database to the filesystem
28 $kdbx->dump_file('passwords.kdbx', 'masterpw changeme');
29 # Load the database from the filesystem into a new database instance
31 my $kdbx2 = File::KDBX->load_file('passwords.kdbx', 'masterpw changeme');
32 # Iterate over database entries, print entry titles
34 $kdbx2->entries->each(sub($entry, @) {
35 say 'Entry: ', $entry->title;
36 });
37 See "RECIPES" for more examples.
39
41 File::KDBX provides everything you need to work with KDBX databases. A
42 KDBX database is a hierarchical object database which is commonly used
43 to store secret information securely. It was developed for the KeePass
44 password safe. See "Introduction to KDBX" for more information about
45 KDBX.
46 This module lets you query entries, create new entries, delete entries,
48 modify entries and more. The distribution also includes various parsers
49 and generators for serializing and persisting databases.
50 The design of this software was influenced by the KeePassXC
52 <https://github.com/keepassxreboot/keepassxc> implementation of KeePass
53 as well as the File::KeePass module. File::KeePass is an alternative
54 module that works well in most cases but has a small backlog of bugs
55 and security issues and also does not work with newer KDBX version 4
56 files. If you're coming here from the File::KeePass world, you might be
57 interested in File::KeePass::KDBX that is a drop-in replacement for
58 File::KeePass that uses File::KDBX for storage.
59 This software is a pre-1.0 release. The interface should be considered
61 pretty stable, but there might be minor changes up until a 1.0 release.
62 Breaking changes will be noted in the Changes file.
63 Features
65 • ☑ Read and write KDBX version 3 - version 4.1
66 • ☑ Read and write KDB files (requires File::KeePass)
68 • ☑ Unicode character strings
70 • ☑ "Simple Expression" Searching
72 • ☑ Placeholders and field references
74 • ☑ One-time passwords
76 • ☑ Very secure
78 • ☑ "Memory Protection"
80 • ☑ Challenge-response key components, like YubiKey
82 • ☑ Variety of key file types: binary, hexed, hashed, XML v1 and v2
84 • ☑ Pluggable registration of different kinds of ciphers and key
86 derivation functions
87 • ☑ Built-in database maintenance functions
89 • ☑ Pretty fast, with XS optimizations available
91 • ☒ Database synchronization / merging (not yet)
93 Introduction to KDBX
95 A KDBX database consists of a tree of groups and entries, with a single
96 root group. Entries can contain zero or more key-value pairs of strings
97 and zero or more binaries (i.e. octet strings). Groups, entries,
98 strings and binaries: that's the KDBX vernacular. A small amount of
99 metadata (timestamps, etc.) is associated with each entry, group and
100 the database as a whole.
101 You can think of a KDBX database kind of like a file system, where
103 groups are directories, entries are files, and strings and binaries
104 make up a file's contents.
105 Databases are typically persisted as encrypted, compressed files. They
107 are usually accessed directly (i.e. not over a network). The primary
108 focus of this type of database is data security. It is ideal for
109 storing relatively small amounts of data (strings and binaries) that
110 must remain secret except to such individuals as have the correct
111 master key. Even if the database file were to be "leaked" to the public
112 Internet, it should be virtually impossible to crack with a strong key.
113 The KDBX format is most often used by password managers to store
114 passwords so that users can know a single strong password and not have
115 to reuse passwords across different websites. See "SECURITY" for an
116 overview of security considerations.
117
119 sig1
120 sig2
121 version
122 headers
123 inner_headers
124 meta
125 binaries
126 deleted_objects
127 Hash of UUIDs for objects that have been deleted. This includes groups,
128 entries and even custom icons.
129 raw
131 Bytes contained within the encrypted layer of a KDBX file. This is only
132 set when using File::KDBX::Loader::Raw.
133 comment
135 A text string associated with the database stored unencrypted in the
136 file header. Often unset.
137 cipher_id
139 The UUID of a cipher used to encrypt the database when stored as a
140 file.
141 See File::KDBX::Cipher.
143 compression_flags
145 Configuration for whether or not and how the database gets compressed.
146 See ":compression" in File::KDBX::Constants.
147 master_seed
149 The master seed is a string of 32 random bytes that is used as salt in
150 hashing the master key when loading and saving the database. If a
151 challenge-response key is used in the master key, the master seed is
152 also the challenge.
153 The master seed should be changed each time the database is saved to
155 file.
156 transform_seed
158 The transform seed is a string of 32 random bytes that is used in the
159 key derivation function, either as the salt or the key (depending on
160 the algorithm).
161 The transform seed should be changed each time the database is saved to
163 file.
164 transform_rounds
166 The number of rounds or iterations used in the key derivation function.
167 Increasing this number makes loading and saving the database slower in
168 order to make dictionary and brute force attacks more costly.
169 encryption_iv
171 The initialization vector used by the cipher.
172 The encryption IV should be changed each time the database is saved to
174 file.
175 inner_random_stream_key
177 The encryption key (possibly including the IV, depending on the cipher)
178 used to encrypt the protected strings within the database.
179 stream_start_bytes
181 A string of 32 random bytes written in the header and encrypted in the
182 body. If the bytes do not match when loading a file then the wrong
183 master key was used or the file is corrupt. Only KDBX 2 and KDBX 3
184 files use this. KDBX 4 files use an improved HMAC method to verify the
185 master key and data integrity of the header and entire file body.
186 inner_random_stream_id
188 A number indicating the cipher algorithm used to encrypt the protected
189 strings within the database, usually Salsa20 or ChaCha20. See
190 ":random_stream" in File::KDBX::Constants.
191 kdf_parameters
193 A hash/dict of key-value pairs used to configure the key derivation
194 function. This is the KDBX4+ way to configure the KDF, superceding
195 "transform_seed" and "transform_rounds".
196 generator
198 The name of the software used to generate the KDBX file.
199 header_hash
201 The header hash used to verify that the file header is not corrupt.
202 (KDBX 2 - KDBX 3.1, removed KDBX 4.0)
203 database_name
205 Name of the database.
206 database_name_changed
208 Timestamp indicating when the database name was last changed.
209 database_description
211 Description of the database
212 database_description_changed
214 Timestamp indicating when the database description was last changed.
215 default_username
217 When a new entry is created, the UserName string will be populated with
218 this value.
219 default_username_changed
221 Timestamp indicating when the default username was last changed.
222 color
224 A color associated with the database (in the form "#ffffff" where "f"
225 is a hexidecimal digit). Some agents use this to help users visually
226 distinguish between different databases.
227 master_key_changed
229 Timestamp indicating when the master key was last changed.
230 master_key_change_rec
232 Number of days until the agent should prompt to recommend changing the
233 master key.
234 master_key_change_force
236 Number of days until the agent should prompt to force changing the
237 master key.
238 Note: This is purely advisory. It is up to the individual agent
240 software to actually enforce it. File::KDBX does NOT enforce it.
241 custom_icons
243 Array of custom icons that can be associated with groups and entries.
244 This list can be managed with the methods "add_custom_icon" and
246 "remove_custom_icon".
247 recycle_bin_enabled
249 Boolean indicating whether removed groups and entries should go to a
250 recycle bin or be immediately deleted.
251 recycle_bin_uuid
253 The UUID of a group used to store thrown-away groups and entries.
254 recycle_bin_changed
256 Timestamp indicating when the recycle bin group was last changed.
257 entry_templates_group
259 The UUID of a group containing template entries used when creating new
260 entries.
261 entry_templates_group_changed
263 Timestamp indicating when the entry templates group was last changed.
264 last_selected_group
266 The UUID of the previously-selected group.
267 last_top_visible_group
269 The UUID of the group visible at the top of the list.
270 history_max_items
272 The maximum number of historical entries that should be kept for each
273 entry. Default is 10.
274 history_max_size
276 The maximum total size (in bytes) that each individual entry's history
277 is allowed to grow. Default is 6 MiB.
278 maintenance_history_days
280 The maximum age (in days) historical entries should be kept. Default it
281 365.
282 settings_changed
284 Timestamp indicating when the database settings were last updated.
285 protect_title
287 Alias of the "memory_protection" setting for the Title string.
288 protect_username
290 Alias of the "memory_protection" setting for the UserName string.
291 protect_password
293 Alias of the "memory_protection" setting for the Password string.
294 protect_url
296 Alias of the "memory_protection" setting for the URL string.
297 protect_notes
299 Alias of the "memory_protection" setting for the Notes string.
300
302 new
303 $kdbx = File::KDBX->new(%attributes);
304 $kdbx = File::KDBX->new($kdbx); # copy constructor
305 Construct a new File::KDBX.
307 init
309 $kdbx = $kdbx->init(%attributes);
310 Initialize a File::KDBX with a set of attributes. Returns itself to
312 allow method chaining.
313 This is called by "new".
315 reset
317 $kdbx = $kdbx->reset;
318 Set a File::KDBX to an empty state, ready to load a KDBX file or build
320 a new one. Returns itself to allow method chaining.
321 clone
323 $kdbx_copy = $kdbx->clone;
324 $kdbx_copy = File::KDBX->new($kdbx);
325 Clone a File::KDBX. The clone will be an exact copy and completely
327 independent of the original.
328 load
330 load_string
331 load_file
332 load_handle
333 $kdbx = KDBX::File->load(\$string, $key);
334 $kdbx = KDBX::File->load(*IO, $key);
335 $kdbx = KDBX::File->load($filepath, $key);
336 $kdbx->load(...); # also instance method
337 $kdbx = File::KDBX->load_string($string, $key);
339 $kdbx = File::KDBX->load_string(\$string, $key);
340 $kdbx->load_string(...); # also instance method
341 $kdbx = File::KDBX->load_file($filepath, $key);
343 $kdbx->load_file(...); # also instance method
344 $kdbx = File::KDBX->load_handle($fh, $key);
346 $kdbx = File::KDBX->load_handle(*IO, $key);
347 $kdbx->load_handle(...); # also instance method
348 Load a KDBX file from a string buffer, IO handle or file from a
350 filesystem.
351 File::KDBX::Loader does the heavy lifting.
353 dump
355 dump_string
356 dump_file
357 dump_handle
358 $kdbx->dump(\$string, $key);
359 $kdbx->dump(*IO, $key);
360 $kdbx->dump($filepath, $key);
361 $kdbx->dump_string(\$string, $key);
363 \$string = $kdbx->dump_string($key);
364 $kdbx->dump_file($filepath, $key);
366 $kdbx->dump_handle($fh, $key);
368 $kdbx->dump_handle(*IO, $key);
369 Dump a KDBX file to a string buffer, IO handle or file in a filesystem.
371 File::KDBX::Dumper does the heavy lifting.
373 user_agent_string
375 $string = $kdbx->user_agent_string;
376 Get a text string identifying the database client software.
378 memory_protection
380 \%settings = $kdbx->memory_protection
381 $kdbx->memory_protection(\%settings);
382 $bool = $kdbx->memory_protection($string_key);
384 $kdbx->memory_protection($string_key => $bool);
385 Get or set memory protection settings. This globally (for the whole
387 database) configures whether and which of the standard strings should
388 be memory-protected. The default setting is to memory-protect only
389 Password strings.
390 Memory protection can be toggled individually for each entry string,
392 and individual settings take precedence over these global settings.
393 minimum_version
395 $version = $kdbx->minimum_version;
396 Determine the minimum file version required to save a database
398 losslessly. Using certain databases features might increase this value.
399 For example, setting the KDF to Argon2 will increase the minimum
400 version to at least "KDBX_VERSION_4_0" (i.e. 0x00040000) because Argon2
401 was introduced with KDBX4.
402 This method never returns less than "KDBX_VERSION_3_1" (i.e.
404 0x00030001). That file version is so ubiquitous and well-supported,
405 there are seldom reasons to dump in a lesser format nowadays.
406 WARNING: If you dump a database with a minimum version higher than the
408 current "version", the dumper will typically issue a warning and
409 automatically upgrade the database. This seems like the safest behavior
410 in order to avoid data loss, but lower versions have the benefit of
411 being compatible with more software. It is possible to prevent auto-
412 upgrades by explicitly telling the dumper which version to use, but you
413 do run the risk of data loss. A database will never be automatically
414 downgraded.
415 root
417 $group = $kdbx->root;
418 $kdbx->root($group);
419 Get or set a database's root group. You don't necessarily need to
421 explicitly create or set a root group because it autovivifies when
422 adding entries and groups to the database.
423 Every database has only a single root group at a time. Some old KDB
425 files might have multiple root groups. When reading such files, a
426 single implicit root group is created to contain the actual root
427 groups. When writing to such a format, if the root group looks like it
428 was implicitly created then it won't be written and the resulting file
429 might have multiple root groups, as it was before loading. This allows
430 working with older files without changing their written internal
431 structure while still adhering to modern semantics while the database
432 is opened.
433 The root group of a KDBX database contains all of the database's
435 entries and other groups. If you replace the root group, you are
436 essentially replacing the entire database contents with something else.
437 trace_lineage
439 \@lineage = $kdbx->trace_lineage($group);
440 \@lineage = $kdbx->trace_lineage($group, $base_group);
441 \@lineage = $kdbx->trace_lineage($entry);
442 \@lineage = $kdbx->trace_lineage($entry, $base_group);
443 Get the direct line of ancestors from $base_group (default: the root
445 group) to a group or entry. The lineage includes the base group but not
446 the target group or entry. Returns "undef" if the target is not in the
447 database structure.
448 recycle_bin
450 $group = $kdbx->recycle_bin;
451 $kdbx->recycle_bin($group);
452 Get or set the recycle bin group. Returns "undef" if there is no
454 recycle bin and "recycle_bin_enabled" is false, otherwise the current
455 recycle bin or an autovivified recycle bin group is returned.
456 entry_templates
458 $group = $kdbx->entry_templates;
459 $kdbx->entry_templates($group);
460 Get or set the entry templates group. May return "undef" if unset.
462 last_selected
464 $group = $kdbx->last_selected;
465 $kdbx->last_selected($group);
466 Get or set the last selected group. May return "undef" if unset.
468 last_top_visible
470 $group = $kdbx->last_top_visible;
471 $kdbx->last_top_visible($group);
472 Get or set the last top visible group. May return "undef" if unset.
474 add_group
476 $kdbx->add_group($group);
477 $kdbx->add_group(%group_attributes, %options);
478 Add a group to a database. This is equivalent to identifying a parent
480 group and calling "add_group" in File::KDBX::Group on the parent group,
481 forwarding the arguments. Available options:
482 • "group" - Group object or group UUID to add the group to (default:
484 root group)
485 groups
487 \&iterator = $kdbx->groups(%options);
488 \&iterator = $kdbx->groups($base_group, %options);
489 Get an File::KDBX::Iterator over groups within a database. Options:
491 • "base" - Only include groups within a base group (same as
493 $base_group) (default: "root")
494 • "inclusive" - Include the base group in the results (default: true)
496 • "algorithm" - Search algorithm, one of "ids", "bfs" or "dfs"
498 (default: "ids")
499 add_entry
501 $kdbx->add_entry($entry, %options);
502 $kdbx->add_entry(%entry_attributes, %options);
503 Add an entry to a database. This is equivalent to identifying a parent
505 group and calling "add_entry" in File::KDBX::Group on the parent group,
506 forwarding the arguments. Available options:
507 • "group" - Group object or group UUID to add the entry to (default:
509 root group)
510 entries
512 \&iterator = $kdbx->entries(%options);
513 \&iterator = $kdbx->entries($base_group, %options);
514 Get an File::KDBX::Iterator over entries within a database. Supports
516 the same options as "groups", plus some new ones:
517 • "auto_type" - Only include entries with auto-type enabled (default:
519 false, include all)
520 • "searching" - Only include entries within groups with searching
522 enabled (default: false, include all)
523 • "history" - Also include historical entries (default: false,
525 include only current entries)
526 objects
528 \&iterator = $kdbx->objects(%options);
529 \&iterator = $kdbx->objects($base_group, %options);
530 Get an File::KDBX::Iterator over objects within a database. Groups and
532 entries are considered objects, so this is essentially a combination of
533 "groups" and "entries". This won't often be useful, but it can be
534 convenient for maintenance tasks. This method takes the same options as
535 "groups" and "entries".
536 custom_icon
538 \%icon = $kdbx->custom_icon($uuid);
539 $kdbx->custom_icon($uuid => \%icon);
540 $kdbx->custom_icon(%icon);
541 $kdbx->custom_icon(uuid => $value, %icon);
542 Get or set custom icons.
544 custom_icon_data
546 $image_data = $kdbx->custom_icon_data($uuid);
547 Get a custom icon image data.
549 add_custom_icon
551 $uuid = $kdbx->add_custom_icon($image_data, %attributes);
552 $uuid = $kdbx->add_custom_icon(%attributes);
553 Add a custom icon and get its UUID. If not provided, a random UUID will
555 be generated. Possible attributes:
556 • "uuid" - Icon UUID (default: autogenerated)
558 • "data" - Image data (same as $image_data)
560 • "name" - Name of the icon (text, KDBX4.1+)
562 • "last_modification_time" - Just what it says (datetime, KDBX4.1+)
564 remove_custom_icon
566 $kdbx->remove_custom_icon($uuid);
567 Remove a custom icon.
569 custom_data
571 \%all_data = $kdbx->custom_data;
572 $kdbx->custom_data(\%all_data);
573 \%data = $kdbx->custom_data($key);
575 $kdbx->custom_data($key => \%data);
576 $kdbx->custom_data(%data);
577 $kdbx->custom_data(key => $value, %data);
578 Get and set custom data. Custom data is metadata associated with a
580 database.
581 Each data item can have a few attributes associated with it.
583 • "key" - A unique text string identifier used to look up the data
585 item (required)
586 • "value" - A text string value (required)
588 • "last_modification_time" (optional, KDBX4.1+)
590 custom_data_value
592 $value = $kdbx->custom_data_value($key);
593 Exactly the same as "custom_data" except returns just the custom data's
595 value rather than a structure of attributes. This is a shortcut for:
596 my $data = $kdbx->custom_data($key);
598 my $value = defined $data ? $data->{value} : undef;
599 public_custom_data
601 \%all_data = $kdbx->public_custom_data;
602 $kdbx->public_custom_data(\%all_data);
603 $value = $kdbx->public_custom_data($key);
605 $kdbx->public_custom_data($key => $value);
606 Get and set public custom data. Public custom data is similar to custom
608 data but different in some important ways. Public custom data:
609 • can store strings, booleans and up to 64-bit integer values (custom
611 data can only store text values)
612 • is NOT encrypted within a KDBX file (hence the "public" part of the
614 name)
615 • is a plain hash/dict of key-value pairs with no other associated
617 fields (like modification times)
618 add_deleted_object
620 $kdbx->add_deleted_object($uuid);
621 Add a UUID to the deleted objects list. This list is used to support
623 automatic database merging.
624 You typically do not need to call this yourself because the list will
626 be populated automatically as objects are removed.
627 remove_deleted_object
629 $kdbx->remove_deleted_object($uuid);
630 Remove a UUID from the deleted objects list. This list is used to
632 support automatic database merging.
633 You typically do not need to call this yourself because the list will
635 be maintained automatically as objects are added.
636 clear_deleted_objects
638 Remove all UUIDs from the deleted objects list. This list is used to
639 support automatic database merging, but if you don't need merging then
640 you can clear deleted objects to reduce the database file size.
641 resolve_reference
643 $string = $kdbx->resolve_reference($reference);
644 $string = $kdbx->resolve_reference($wanted, $search_in, $expression);
645 Resolve a field reference
647 <https://keepass.info/help/base/fieldrefs.html>. A field reference is a
648 kind of string placeholder. You can use a field reference to refer
649 directly to a standard field within an entry. Field references are
650 resolved automatically while expanding entry strings (i.e. replacing
651 placeholders), but you can use this method to resolve on-the-fly
652 references that aren't part of any actual string in the database.
653 If the reference does not resolve to any field, "undef" is returned. If
655 the reference resolves to multiple fields, only the first one is
656 returned (in the same order as iterated by "entries"). To avoid
657 ambiguity, you can refer to a specific entry by its UUID.
658 The syntax of a reference is: "{REF:<WantedField>@<SearchIn>:<Text>}".
660 "Text" is a "Simple Expression". "WantedField" and "SearchIn" are both
661 single character codes representing a field:
662 • "T" - Title
664 • "U" - UserName
666 • "P" - Password
668 • "A" - URL
670 • "N" - Notes
672 • "I" - UUID
674 • "O" - Other custom strings
676 Since "O" does not represent any specific field, it cannot be used as
678 the "WantedField".
679 Examples:
681 To get the value of the UserName string of the first entry with "My
683 Bank" in the title:
684 my $username = $kdbx->resolve_reference('{REF:U@T:"My Bank"}');
686 # OR the {REF:...} wrapper is optional
687 my $username = $kdbx->resolve_reference('U@T:"My Bank"');
688 # OR separate the arguments
689 my $username = $kdbx->resolve_reference(U => T => '"My Bank"');
690 Note how the text is a "Simple Expression", so search terms with spaces
692 must be surrounded in double quotes.
693 To get the Password string of a specific entry (identified by its
695 UUID):
696 my $password = $kdbx->resolve_reference('{REF:P@I:46C9B1FFBD4ABC4BBB260C6190BAD20C}');
698 lock
700 $kdbx->lock;
701 Encrypt all protected strings and binaries in a database. The encrypted
703 data is stored in a File::KDBX::Safe associated with the database and
704 the actual values will be replaced with "undef" to indicate their
705 protected state. Returns itself to allow method chaining.
706 You can call "lock" on an already-locked database to memory-protect any
708 unprotected strings and binaries added after the last time the database
709 was locked.
710 unlock
712 $kdbx->unlock;
713 Decrypt all protected strings and binaries in a database, replacing
715 "undef" value placeholders with their actual, unprotected values.
716 Returns itself to allow method chaining.
717 unlock_scoped
719 $guard = $kdbx->unlock_scoped;
720 Unlock a database temporarily, relocking when the guard is released
722 (typically at the end of a scope). Returns "undef" if the database is
723 already unlocked.
724 See "lock" and "unlock".
726 Example:
728 {
730 my $guard = $kdbx->unlock_scoped;
731 ...;
732 }
733 # $kdbx is now memory-locked
734 peek
736 $string = $kdbx->peek(\%string);
737 $string = $kdbx->peek(\%binary);
738 Peek at the value of a protected string or binary without unlocking the
740 whole database. The argument can be a string or binary hashref as
741 returned by "string" in File::KDBX::Entry or "binary" in
742 File::KDBX::Entry.
743 is_locked
745 $bool = $kdbx->is_locked;
746 Get whether or not a database's contents are in a locked (i.e. memory-
748 protected) state. If this is true, then some or all of the protected
749 strings and binaries within the database will be unavailable (literally
750 have "undef" values) until "unlock" is called.
751 remove_empty_groups
753 $kdbx->remove_empty_groups;
754 Remove groups with no subgroups and no entries.
756 remove_unused_icons
758 $kdbx->remove_unused_icons;
759 Remove icons that are not associated with any entry or group in the
761 database.
762 remove_duplicate_icons
764 $kdbx->remove_duplicate_icons;
765 Remove duplicate icons as determined by hashing the icon data.
767 prune_history
769 $kdbx->prune_history(%options);
770 Remove just as many older historical entries as necessary to get under
772 certain limits.
773 • "max_items" - Maximum number of historical entries to keep
775 (default: value of "history_max_items", no limit: -1)
776 • "max_size" - Maximum total size (in bytes) of historical entries to
778 keep (default: value of "history_max_size", no limit: -1)
779 • "max_age" - Maximum age (in days) of historical entries to keep
781 (default: value of "maintenance_history_days", no limit: -1)
782 randomize_seeds
784 $kdbx->randomize_seeds;
785 Set various keys, seeds and IVs to random values. These values are used
787 by the cryptographic functions that secure the database when dumped.
788 The attributes that will be randomized are:
789 • "encryption_iv"
791 • "inner_random_stream_key"
793 • "master_seed"
795 • "stream_start_bytes"
797 • "transform_seed"
799 Randomizing these values has no effect on a loaded database. These are
801 only used when a database is dumped. You normally do not need to call
802 this method explicitly because the dumper does it for you by default.
803 key
805 $key = $kdbx->key;
806 $key = $kdbx->key($key);
807 $key = $kdbx->key($primitive);
808 Get or set a File::KDBX::Key. This is the master key (e.g. a password
810 or a key file that can decrypt a database). You can also pass a
811 primitive castable to a Key. See "new" in File::KDBX::Key for an
812 explanation of what the primitive can be.
813 You generally don't need to call this directly because you can provide
815 the key directly to the loader or dumper when loading or dumping a KDBX
816 file.
817 composite_key
819 $key = $kdbx->composite_key($key);
820 $key = $kdbx->composite_key($primitive);
821 Construct a File::KDBX::Key::Composite from a Key or primitive. See
823 "new" in File::KDBX::Key for an explanation of what the primitive can
824 be. If the primitive does not represent a composite key, it will be
825 wrapped.
826 You generally don't need to call this directly. The loader and dumper
828 use it to transform a master key into a raw encryption key.
829 kdf
831 $kdf = $kdbx->kdf(%options);
832 $kdf = $kdbx->kdf(\%parameters, %options);
833 Get a File::KDBX::KDF (key derivation function).
835 Options:
837 • "params" - KDF parameters, same as "\%parameters" (default: value
839 of "kdf_parameters")
840 cipher
842 $cipher = $kdbx->cipher(key => $key);
843 $cipher = $kdbx->cipher(key => $key, iv => $iv, uuid => $uuid);
844 Get a File::KDBX::Cipher capable of encrypting and decrypting the body
846 of a database file.
847 A key is required. This should be a raw encryption key made up of a
849 fixed number of octets (depending on the cipher), not a File::KDBX::Key
850 or primitive.
851 If not passed, the UUID comes from "$kdbx->headers->{cipher_id}" and
853 the encryption IV comes from "$kdbx->headers->{encryption_iv}".
854 You generally don't need to call this directly. The loader and dumper
856 use it to decrypt and encrypt KDBX files.
857 random_stream
859 $cipher = $kdbx->random_stream;
860 $cipher = $kdbx->random_stream(id => $stream_id, key => $key);
861 Get a File::KDBX::Cipher::Stream for decrypting and encrypting
863 protected values.
864 If not passed, the ID and encryption key comes from
866 "$kdbx->headers->{inner_random_stream_id}" and
867 "$kdbx->headers->{inner_random_stream_key}" (respectively) for KDBX3
868 files and from "$kdbx->inner_headers->{inner_random_stream_key}" and
869 "$kdbx->inner_headers->{inner_random_stream_id}" (respectively) for
870 KDBX4 files.
871 You generally don't need to call this directly. The loader and dumper
873 use it to scramble protected strings.
874
876 Create a new database
877 my $kdbx = File::KDBX->new;
878 my $group = $kdbx->add_group(name => 'Passwords);
880 my $entry = $group->add_entry(
881 title => 'WayneCorp',
882 username => 'bwayne',
883 password => 'iambatman',
884 url => 'https://example.com/login'
885 );
886 $entry->add_auto_type_window_association('WayneCorp - Mozilla Firefox', '{PASSWORD}{ENTER}');
887 $kdbx->dump_file('mypasswords.kdbx', 'master password CHANGEME');
889 Read an existing database
891 my $kdbx = File::KDBX->load_file('mypasswords.kdbx', 'master password CHANGEME');
892 $kdbx->unlock; # cause $entry->password below to be defined
893 $kdbx->entries->each(sub($entry, @) {
895 say 'Found password for: ', $entry->title;
896 say ' Username: ', $entry->username;
897 say ' Password: ', $entry->password;
898 });
899 Search for entries
901 my @entries = $kdbx->entries(searching => 1)
902 ->grep(title => 'WayneCorp')
903 ->each; # return all matches
904 The "searching" option limits results to only entries within groups
906 with searching enabled. Other options are also available. See
907 "entries".
908 See "QUERY" for many more query examples.
910 Search for entries by auto-type window association
912 my $window_title = 'WayneCorp - Mozilla Firefox';
913 my $entries = $kdbx->entries(auto_type => 1)
915 ->filter(sub {
916 my ($ata) = grep { $_->{window} =~ /\Q$window_title\E/i } @{$_->auto_type_associations};
917 return [$_, $ata->{keystroke_sequence}] if $ata;
918 })
919 ->each(sub {
920 my ($entry, $keys) = @$_;
921 say 'Entry title: ', $entry->title, ', key sequence: ', $keys;
922 });
923 Example output:
925 Entry title: WayneCorp, key sequence: {PASSWORD}{ENTER}
927 Remove entries from a database
929 $kdbx->entries
930 ->grep(notes => {'=~' => qr/too old/i})
931 ->each(sub { $_->recycle });
932 Recycle all entries with the string "too old" appearing in the Notes
934 string.
935 Remove empty groups
937 $kdbx->groups(algorithm => 'dfs')
938 ->where(-true => 'is_empty')
939 ->each('remove');
940 With the search/iteration "algorithm" set to "dfs", groups will be
942 ordered deepest first and the root group will be last. This allows
943 removing groups that only contain empty groups.
944 This can also be done with one call to "remove_empty_groups".
946
948 One of the biggest threats to your database security is how easily the
949 encryption key can be brute-forced. Strong brute-force protection
950 depends on:
951 • Using unguessable passwords, passphrases and key files.
953 • Using a brute-force resistent key derivation function.
955 The first factor is up to you. This module does not enforce strong
957 master keys. It is up to you to pick or generate strong keys.
958 The KDBX format allows for the key derivation function to be tuned. The
960 idea is that you want each single brute-force attempt to be expensive
961 (in terms of time, CPU usage or memory usage), so that making a lot of
962 attempts (which would be required if you have a strong master key) gets
963 really expensive.
964 How expensive you want to make each attempt is up to you and can depend
966 on the application.
967 This and other KDBX-related security issues are covered here more in
969 depth: <https://keepass.info/help/base/security.html>
970 Here are other security risks you should be thinking about:
972 Cryptography
974 This distribution uses the excellent CryptX and Crypt::Argon2 packages
975 to handle all crypto-related functions. As such, a lot of the security
976 depends on the quality of these dependencies. Fortunately these modules
977 are maintained and appear to have good track records.
978 The KDBX format has evolved over time to incorporate improved security
980 practices and cryptographic functions. This package uses the following
981 functions for authentication, hashing, encryption and random number
982 generation:
983 • AES-128 (legacy)
985 • AES-256
987 • Argon2d & Argon2id
989 • CBC block mode
991 • HMAC-SHA256
993 • SHA256
995 • SHA512
997 • Salsa20 & ChaCha20
999 • Twofish
1001 At the time of this writing, I am not aware of any successful attacks
1003 against any of these functions. These are among the most-analyzed and
1004 widely-adopted crypto functions available.
1005 The KDBX format allows the body cipher and key derivation function to
1007 be configured. If a flaw is discovered in one of these functions, you
1008 can hopefully just switch to a better function without needing to
1009 update this software. A later software release may phase out the use of
1010 any functions which are no longer secure.
1011 Memory Protection
1013 It is not a good idea to keep secret information unencrypted in system
1014 memory for longer than is needed. The address space of your program can
1015 generally be read by a user with elevated privileges on the system. If
1016 your system is memory-constrained or goes into a hibernation mode, the
1017 contents of your address space could be written to a disk where it
1018 might be persisted for long time.
1019 There might be system-level things you can do to reduce your risk, like
1021 using swap encryption and limiting system access to your program's
1022 address space while your program is running.
1023 File::KDBX helps minimize (but not eliminate) risk by keeping secrets
1025 encrypted in memory until accessed and zeroing out memory that holds
1026 secrets after they're no longer needed, but it's not a silver bullet.
1027 For one thing, the encryption key is stored in the same address space.
1029 If core is dumped, the encryption key is available to be found out. But
1030 at least there is the chance that the encryption key and the encrypted
1031 secrets won't both be paged out together while memory-constrained.
1032 Another problem is that some perls (somewhat notoriously) copy around
1034 memory behind the scenes willy nilly, and it's difficult know when perl
1035 makes a copy of a secret in order to be able to zero it out later. It
1036 might be impossible. The good news is that perls with SvPV copy-on-
1037 write (enabled by default beginning with perl 5.20) are much better in
1038 this regard. With COW, it's mostly possible to know what operations
1039 will cause perl to copy the memory of a scalar string, and the number
1040 of copies will be significantly reduced. There is a unit test named
1041 t/memory-protection.t in this distribution that can be run on POSIX
1042 systems to determine how well File::KDBX memory protection is working.
1043 Memory protection also depends on how your application handles secrets.
1045 If your app code is handling scalar strings with secret information,
1046 it's up to you to make sure its memory is zeroed out when no longer
1047 needed. "erase" in File::KDBX::Util et al. provide some tools to help
1048 accomplish this. Or if you're not too concerned about the risks memory
1049 protection is meant to mitigate, then maybe don't worry about it. The
1050 security policy of File::KDBX is to try hard to keep secrets protected
1051 while in memory so that your app might claim a high level of security,
1052 in case you care about that.
1053 There are some memory protection strategies that File::KDBX does NOT
1055 use today but could in the future:
1056 Many systems allow programs to mark unswappable pages. Secret
1058 information should ideally be stored in such pages. You could
1059 potentially use mlockall(2) (or equivalent for your system) in your own
1060 application to prevent the entire address space from being swapped.
1061 Some systems provide special syscalls for storing secrets in memory
1063 while keeping the encryption key outside of the program's address
1064 space, like "CryptProtectMemory" for Windows. This could be a good
1065 option, though unfortunately not portable.
1066
1068 To find things in a KDBX database, you should use a filtered iterator.
1069 If you have an iterator, such as returned by "entries", "groups" or
1070 even "objects" you can filter it using "where" in File::KDBX::Iterator.
1071 my $filtered_entries = $kdbx->entries->where(\&query);
1073 A "\&query" is just a subroutine that you can either write yourself or
1075 have generated for you from either a "Simple Expression" or
1076 "Declarative Syntax". It's easier to have your query generated, so I'll
1077 cover that first.
1078 Simple Expression
1080 A simple expression is mostly compatible with the KeePass 2
1081 implementation described here
1082 <https://keepass.info/help/base/search.html#mode_se>.
1083 An expression is a string with one or more space-separated terms. Terms
1085 with spaces can be enclosed in double quotes. Terms are negated if they
1086 are prefixed with a minus sign. A record must match every term on at
1087 least one of the given fields.
1088 So a simple expression is something like what you might type into a
1090 search engine. You can generate a simple expression query using
1091 "simple_expression_query" in File::KDBX::Util or by passing the simple
1092 expression as a scalar reference to "where".
1093 To search for all entries in a database with the word "canyon"
1095 appearing anywhere in the title:
1096 my $entries = $kdbx->entries->where(\'canyon', qw[title]);
1098 Notice the first argument is a scalarref. This disambiguates a simple
1100 expression from other types of queries covered below.
1101 As mentioned, a simple expression can have multiple terms. This simple
1103 expression query matches any entry that has the words "red" and
1104 "canyon" anywhere in the title:
1105 my $entries = $kdbx->entries->where(\'red canyon', qw[title]);
1107 Each term in the simple expression must be found for an entry to match.
1109 To search for entries with "red" in the title but not "canyon", just
1111 prepend "canyon" with a minus sign:
1112 my $entries = $kdbx->entries->where(\'red -canyon', qw[title]);
1114 To search over multiple fields simultaneously, just list them all. To
1116 search for entries with "grocery" (but not "Foodland") in the title or
1117 notes:
1118 my $entries = $kdbx->entries->where(\'grocery -Foodland', qw[title notes]);
1120 The default operator is a case-insensitive regexp match, which is fine
1122 for searching text loosely. You can use just about any binary
1123 comparison operator that perl supports. To specify an operator, list it
1124 after the simple expression. For example, to search for any entry that
1125 has been used at least five times:
1126 my $entries = $kdbx->entries->where(\5, '>=', qw[usage_count]);
1128 It helps to read it right-to-left, like "usage_count is greater than or
1130 equal to 5".
1131 If you find the disambiguating structures to be distracting or
1133 confusing, you can also use the "simple_expression_query" in
1134 File::KDBX::Util function as a more intuitive alternative. The
1135 following example is equivalent to the previous:
1136 my $entries = $kdbx->entries->where(simple_expression_query(5, '>=', qw[usage_count]));
1138 Declarative Syntax
1140 Structuring a declarative query is similar to "WHERE CLAUSES" in
1141 SQL::Abstract, but you don't have to be familiar with that module. Just
1142 learn by examples here.
1143 To search for all entries in a database titled "My Bank":
1145 my $entries = $kdbx->entries->where({ title => 'My Bank' });
1147 The query here is "{ title => 'My Bank' }". A hashref can contain key-
1149 value pairs where the key is an attribute of the thing being searched
1150 for (in this case an entry) and the value is what you want the thing's
1151 attribute to be to consider it a match. In this case, the attribute
1152 we're using as our match criteria is "title" in File::KDBX::Entry, a
1153 text field. If an entry has its title attribute equal to "My Bank",
1154 it's a match.
1155 A hashref can contain multiple attributes. The search candidate will be
1157 a match if all of the specified attributes are equal to their
1158 respective values. For example, to search for all entries with a
1159 particular URL AND username:
1160 my $entries = $kdbx->entries->where({
1162 url => 'https://example.com',
1163 username => 'neo',
1164 });
1165 To search for entries matching any criteria, just change the hashref to
1167 an arrayref. To search for entries with a particular URL OR username:
1168 my $entries = $kdbx->entries->where([ # <-- Notice the square bracket
1170 url => 'https://example.com',
1171 username => 'neo',
1172 ]);
1173 You can use different operators to test different types of attributes.
1175 The "icon_id" in File::KDBX::Entry attribute is a number, so we should
1176 use a number comparison operator. To find entries using the smartphone
1177 icon:
1178 my $entries = $kdbx->entries->where({
1180 icon_id => { '==', ICON_SMARTPHONE },
1181 });
1182 Note: "ICON_SMARTPHONE" in File::KDBX::Constants is just a constant
1184 from File::KDBX::Constants. It isn't special to this example or to
1185 queries generally. We could have just used a literal number.
1186 The important thing to notice here is how we wrapped the condition in
1188 another hashref with a single key-value pair where the key is the name
1189 of an operator and the value is the thing to match against. The
1190 supported operators are:
1191 • "eq" - String equal
1193 • "ne" - String not equal
1195 • "lt" - String less than
1197 • "gt" - String greater than
1199 • "le" - String less than or equal
1201 • "ge" - String greater than or equal
1203 • "==" - Number equal
1205 • "!=" - Number not equal
1207 • "<" - Number less than
1209 • ">" - Number greater than
1211 • "<=" - Number less than or equal
1213 • ">=" - Number less than or equal
1215 • "=~" - String match regular expression
1217 • "!~" - String does not match regular expression
1219 • "!" - Boolean false
1221 • "!!" - Boolean true
1223 Other special operators:
1225 • "-true" - Boolean true
1227 • "-false" - Boolean false
1229 • "-not" - Boolean false (alias for "-false")
1231 • "-defined" - Is defined
1233 • "-undef" - Is not defined
1235 • "-empty" - Is empty
1237 • "-nonempty" - Is not empty
1239 • "-or" - Logical or
1241 • "-and" - Logical and
1243 Let's see another example using an explicit operator. To find all
1245 groups except one in particular (identified by its "uuid" in
1246 File::KDBX::Group), we can use the "ne" (string not equal) operator:
1247 my $groups = $kdbx->groups->where(
1249 uuid => {
1250 'ne' => uuid('596f7520-6172-6520-7370-656369616c2e'),
1251 },
1252 );
1253 Note: "uuid" in File::KDBX::Util is a little utility function to
1255 convert a UUID in its pretty form into bytes. This utility function
1256 isn't special to this example or to queries generally. It could have
1257 been written with a literal such as "\x59\x6f\x75\x20\x61...", but
1258 that's harder to read.
1259 Notice we searched for groups this time. Finding groups works exactly
1261 the same as it does for entries.
1262 Notice also that we didn't wrap the query in hashref curly-braces or
1264 arrayref square-braces. Those are optional. By default it will only
1265 match ALL attributes (as if there were curly-braces).
1266 Testing the truthiness of an attribute is a little bit different
1268 because it isn't a binary operation. To find all entries with the
1269 password quality check disabled:
1270 my $entries = $kdbx->entries->where('!' => 'quality_check');
1272 This time the string after the operator is the attribute name rather
1274 than a value to compare the attribute against. To test that a boolean
1275 value is true, use the "!!" operator (or "-true" if "!!" seems a little
1276 too weird for your taste):
1277 my $entries = $kdbx->entries->where('!!' => 'quality_check');
1279 my $entries = $kdbx->entries->where(-true => 'quality_check'); # same thing
1280 Yes, there is also a "-false" and a "-not" if you prefer one of those
1282 over "!". "-false" and "-not" (along with "-true") are also special in
1283 that you can use them to invert the logic of a subquery. These are
1284 logically equivalent:
1285 my $entries = $kdbx->entries->where(-not => { title => 'My Bank' });
1287 my $entries = $kdbx->entries->where(title => { 'ne' => 'My Bank' });
1288 These special operators become more useful when combined with two more
1290 special operators: "-and" and "-or". With these, it is possible to
1291 construct more interesting queries with groups of logic. For example:
1292 my $entries = $kdbx->entries->where({
1294 title => { '=~', qr/bank/ },
1295 -not => {
1296 -or => {
1297 notes => { '=~', qr/business/ },
1298 icon_id => { '==', ICON_TRASHCAN_FULL },
1299 },
1300 },
1301 });
1302 In English, find entries where the word "bank" appears anywhere in the
1304 title but also do not have either the word "business" in the notes or
1305 are using the full trashcan icon.
1306 Subroutine Query
1308 Lastly, as mentioned at the top, you can ignore all this and write your
1309 own subroutine. Your subroutine will be called once for each object
1310 being searched over. The subroutine should match the candidate against
1311 whatever criteria you want and return true if it matches or false to
1312 skip. To do this, just pass your subroutine coderef to "where".
1313 To review the different types of queries, these are all equivalent to
1315 find all entries in the database titled "My Bank":
1316 my $entries = $kdbx->entries->where(\'"My Bank"', 'eq', qw[title]); # simple expression
1318 my $entries = $kdbx->entries->where(title => 'My Bank'); # declarative syntax
1319 my $entries = $kdbx->entries->where(sub { $_->title eq 'My Bank' }); # subroutine query
1320 This is a trivial example, but of course your subroutine can be
1322 arbitrarily complex.
1323 All of these query mechanisms described in this section are just tools,
1325 each with its own set of limitations. If the tools are getting in your
1326 way, you can of course iterate over the contents of a database and
1327 implement your own query logic, like this:
1328 my $entries = $kdbx->entries;
1330 while (my $entry = $entries->next) {
1331 if (wanted($entry)) {
1332 do_something($entry);
1333 }
1334 else {
1335 ...
1336 }
1337 }
1338 Iteration
1340 Iterators are the built-in way to navigate or walk the database tree.
1341 You get an iterator from "entries", "groups" and "objects". You can
1342 specify the search algorithm to iterate over objects in different
1343 orders using the "algorithm" option, which can be one of these
1344 constants:
1345 • "ITERATION_IDS" - Iterative deepening search (default)
1347 • "ITERATION_DFS" - Depth-first search
1349 • "ITERATION_BFS" - Breadth-first search
1351 When iterating over objects generically, groups always precede their
1353 direct entries (if any). When the "history" option is used, current
1354 entries always precede historical entries.
1355 If you have a database tree like this:
1357 Database
1359 - Root
1360 - Group1
1361 - EntryA
1362 - Group2
1363 - EntryB
1364 - Group3
1365 - EntryC
1366 • IDS order of groups is: Root, Group1, Group2, Group3
1368 • IDS order of entries is: EntryA, EntryB, EntryC
1370 • IDS order of objects is: Root, Group1, EntryA, Group2, EntryB,
1372 Group3, EntryC
1373 • DFS order of groups is: Group2, Group1, Group3, Root
1375 • DFS order of entries is: EntryB, EntryA, EntryC
1377 • DFS order of objects is: Group2, EntryB, Group1, EntryA, Group3,
1379 EntryC, Root
1380 • BFS order of groups is: Root, Group1, Group3, Group2
1382 • BFS order of entries is: EntryA, EntryC, EntryB
1384 • BFS order of objects is: Root, Group1, EntryA, Group3, EntryC,
1386 Group2, EntryB
1387
1389 TODO - This is a planned feature, not yet implemented.
1390
1392 Errors in this package are constructed as File::KDBX::Error objects and
1393 propagated using perl's built-in mechanisms. Fatal errors are
1394 propagated using "die LIST" in perlfunc and non-fatal errors (a.k.a.
1395 warnings) are propagated using "warn LIST" in perlfunc while adhering
1396 to perl's warnings system. If you're already familiar with these
1397 mechanisms, you can skip this section.
1398 You can catch fatal errors using "eval BLOCK" in perlfunc (or something
1400 like Try::Tiny) and non-fatal errors using $SIG{__WARN__} (see "%SIG"
1401 in perlvar). Examples:
1402 use File::KDBX::Error qw(error);
1404 my $key = ''; # uh oh
1406 eval {
1407 $kdbx->load_file('whatever.kdbx', $key);
1408 };
1409 if (my $error = error($@)) {
1410 handle_missing_key($error) if $error->type eq 'key.missing';
1411 $error->throw;
1412 }
1413 or using "Try::Tiny":
1415 try {
1417 $kdbx->load_file('whatever.kdbx', $key);
1418 }
1419 catch {
1420 handle_error($_);
1421 };
1422 Catching non-fatal errors:
1424 my @warnings;
1426 local $SIG{__WARN__} = sub { push @warnings, $_[0] };
1427 $kdbx->load_file('whatever.kdbx', $key);
1429 handle_warnings(@warnings) if @warnings;
1431 By default perl prints warnings to "STDERR" if you don't catch them. If
1433 you don't want to catch them and also don't want them printed to
1434 "STDERR", you can suppress them lexically (perl v5.28 or higher
1435 required):
1436 {
1438 no warnings 'File::KDBX';
1439 ...
1440 }
1441 or locally:
1443 {
1445 local $File::KDBX::WARNINGS = 0;
1446 ...
1447 }
1448 or globally in your program:
1450 $File::KDBX::WARNINGS = 0;
1452 You cannot suppress fatal errors, and if you don't catch them your
1454 program will exit.
1455
1457 This software will alter its behavior depending on the value of certain
1458 environment variables:
1459 • "PERL_FILE_KDBX_XS" - Do not use File::KDBX::XS if false (default:
1461 true)
1462 • "PERL_ONLY" - Do not use File::KDBX::XS if true (default: false)
1464 • "NO_FORK" - Do not fork if true (default: false)
1466
1468 • KeePass Password Safe <https://keepass.info/> - The original
1469 KeePass
1470 • KeePassXC <https://keepassxc.org/> - Cross-Platform Password
1472 Manager written in C++
1473 • File::KeePass has overlapping functionality. It's good but has a
1475 backlog of some pretty critical bugs and lacks support for newer
1476 KDBX features.
1477
1479 Please report any bugs or feature requests on the bugtracker website
1480 <https://github.com/chazmcgarvey/File-KDBX/issues>
1481 When submitting a bug or request, please include a test-file or a patch
1483 to an existing test-file that illustrates the bug or desired feature.
1484
1486 Charles McGarvey <ccm@cpan.org>
1487
1489 This software is copyright (c) 2022 by Charles McGarvey.
1490 This is free software; you can redistribute it and/or modify it under
1492 the same terms as the Perl 5 programming language system itself.
1493perl v5.36.1 2023-09-27 File::KDBX(3)